Skip to content

Tenancy & Authentication

db-per-firm

Each tenant is one database: one self-contained directory under <root>/dbs/<name>/ holding its catalog, delta log and segments. The firm lifecycle is filesystem-simple — move, archive or delete a directory.

There is no internal cluster. Horizontal scale is firm→node routing, external and manual: put heavy firms on their own nodes, point their connection strings there.

Authentication

users.json at the root maps each user to a SCRAM-SHA-256 verifier (salt, iterations, stored key — never the password) and to exactly one database:

xcon-db-time useradd -root /var/lib/xcon-db-time firm1 s3cret firm1
  • pg-wire authenticates with SCRAM-SHA-256; the connection is refused unless the requested database is the user's own. That wall is the entire authorization model — no roles, no grants.
  • HTTP uses basic auth against the same verifiers and routes the user to its own database.
  • ILP carries no credentials by design; an ILP listener is bound to one database at startup (-ilp-db) and should be firewalled to the devices that feed it.

TLS on pg-wire is optional (-tls-cert/-tls-key); clients that ask for SSL get a polite N when it is off.