I've never used OpenERP and I'm interested in its multi-tenant capabilities.
As I understand it, OpenERP has three application tiers: the database, the application server, and the web server.
If I want to create a working configuration for multiple, independent companies, that however share the core business logic and modules - What would the typical setup look like?
From my research, it seems that a single application server can serve multiple databases.
I guess my initial question is, what part of OpenERP and its components is stored in the database, what part in the application server, and what part in the web server? For instance, where exactly is an uploaded document stored? For instance, if I serve multiple databases with one application server, is access to uploaded documents really restricted based on the database in use?
On top of that, if I use a single application server, can I also only use one web server / client to serve the different databases? There seems to be a dbfilter command that allows to map a hostname to a database. Would it be possible to forward requests with a proxy and is there a way for the web client to differentiate the individual tenants?
And when is it recommended to run multiple application servers instead of one?
Edit: I've just realized that starting with 6.1, OpenERP application server comes with an embedded WSGI server
I would recommend you the following setup:
- To secure each company's processes, a distinct system user for each.
- A single shared Postgres database server, with a distinct database role for each company. This way each company won't be able to see others databases. 3, A dedicated OpenERP copy for each company, accessible only by the corresponding system user. Each will run it's own server process on a distinct port (ex: 8070, 8071, 8072, etc.)
- An upfront webserver, such as Nginx or Apache, acting as a reverse proxy, in order to: provide SSL, map domain names like
localhost:port, and could also provide a static data cache and load balancing.
Having distinct Postgres roles for each companies solves the dbfilter issue: each role doesn't even know the the other companies exist. And if you choose for a company to have only the Production database, the database dropdown won't even show, making it simpler for the end user.
At #3, you might think it's a little too much to keep an OpenERP per company, and that it can bring unnecessary extra work every time you want to apply product updates. But:
- from a security perspective, it's easy to see that it's preferable for each company to have access to it's dedicated copy.
- From a product maintenance perspective, it also ends up as a better choice: yes it will bring some extra work to update all instances, but you have a choice to do it gradually (and start with less complex companies), or to selectively apply fixes only in the instances that really need it.
By now running three independent server processes is unavoidable, since each one needs to run under a different system user and database role. And that's a good thing: if for some reason one company's process is killed, there's a good chance the others will be unaffected.
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 10/29/13, 8:14 AM|
|Seen: 4030 times|
|Last updated: 2/22/16, 9:03 AM|