Options for uploading documents to Azure per user and keeping them private

Question

We're creating a multi-tenant application in azure that must segregate data between users/tenants.

Each tenant will upload/save various documents (mostly excel and csv files) and then have the ability to use/retrieve these in the application as input files for a range of calculations..

I imagine a structure like this:

+ users/
|-+ {uid}/
| | — profile_picture.jpg
| |-+ input_data/
| | | — {input_data_id}.xlsx

In Cloud Storage using Firebase security rules we can protect who can perform what operations on objects stored in different paths with a rule like the following.

rules_version = "2";
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/input_data/{input_data_id} {
      allow get: if request.auth.uid == userId ||
      allow list, write: if request.auth.uid == userId;
    }
  }
}

Is there an equivalent resource in azure that can do something like firestore;

Match on rules
Write objects based on UID.
List objects based on UID.
Allow objects to be downloaded based on UID.

I found a question/answer back in 2015 with a similar problem and was wondering weather the answer is still relevant or if there is now a better option

Most effective way to manage multiple tenant storage in Azure?

Where are these users stored? Are you using Azure AD or some custom database? — Gaurav Mantri, Oct 10 '19 at 05:19
We are leaning towards using Azure AD rather than custom, we have an existing custom database but don't want to use this in the new system — Glenn Sampson, Oct 10 '19 at 05:39
Is something like this workable? I’m really not sure https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad — Glenn Sampson, Oct 10 '19 at 08:05

score 0 · Answer 1 · answered Oct 22 '19 at 08:35

The article you found still applies. In Azure, there is no built-in security rules like Firebase rule for such scenraios. So you need to implement authorization on your own. The core idea is create Blob Containers for each tenant, the container name could be the tenant ID, and build a broker API to fetch files on behalf of users.

Considering Azure Storage scalability and performance targets, you can also create a storage account pool, then distribute the data per tenant evenly in multiple storage accounts. But with this way, you also need a seperate table to store the mapping infomation so that the API knows where to find the data.

The data structure could be like:

+ StorageAccount1
 + ContainerTenantID/
 |-+ {uid}/
 | | — profile_picture.jpg
 | |-+ input_data/
 | | | — {input_data_id}.xlsx
 + ContainerTenantID/
 |-+ {uid}/
 | | — profile_picture.jpg
 | |-+ input_data/
 | | | — {input_data_id}.xlsx
+ StorageAccount2
 + ContainerTenantID/
 |-+ {uid}/
 | | — profile_picture.jpg
 | |-+ input_data/
 | | | — {input_data_id}.xlsx

Regarding the broker API, it decides what data the user could access. If you use Azure AD, it can get tenantID and UID from the token of sign in user. Then it has enough information to decide what data to return back to user.

Options for uploading documents to Azure per user and keeping them private

1 Answers1