Multitenancy documentation #2582
-
Hi Looking at your code, there appears to be some form of multi-tenancy support. Is this documented anywhere on how this works, and how to configure it Thanks Darrell Merryweather |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
We don't really have formal documentation (yet) for the multi-tenancy feature of Apicurio Registry (I assume you are interested in Registry, not Studio). I could write a quick getting-started document if you think that would help. But we currently don't make the MT capabilities of Registry available to Red Hat customers of the on-prem registry product, and as a result we don't have strong end user docs on it. (just a bandwidth/priority thing) From a high level, it's not a complicated feature. Essentially we just have a "tenantId" column on all our DB tables. And all you need to do is make sure that you make the tenantId available to the registry application on each request (this can be done by including it in the path to the REST API, or by including it in the JWT token, or by passing it in via HTTP request header, or via a subdomain name). However, things get tricky if you want to enforce appropriate authorization controls (e.g. the population of users is different for each tenant). The real pitfall is the UI. The UI is not currently built to work with a multi-tenancy enabled Registry. When we use multi-tenant registry at Red Hat (for our managed service) we use federated webpack modules to export the UI components into our larger console.redhat.com console. To get you started, here are some ENV variables you can enable when starting up the registry docker image:
So for example you could start like this:
That will enable MT mode and allow the tenantId to be sent either in the API path, or in a request header (configurable but defaults to X-Registry-Tenant-Id), or as So you can try this, for example:
That will try to access a tenant with ID "12345" and invoke the system info API endpoint. However it will fail. The reason is that Registry itself doesn't manage the tenants - it relies on another component called the Tenant Manager to do that. So you would also need to run an instance of the tenant manager. The MT registry application will try to lookup information about a tenant in the tenant manager. And if it doesn't exist, it will fail the request. So you would need to start up the tenant manager and provision tenants using that tenant manager (via its REST API). Then you need to configure the tenant manager in the registry application so that registry can lookup tenants in the TM. For a full collection of configuration options for multitenancy, you could look here: Depending on your use-case, we could also look into streamlining some of this (e.g. maybe you don't need the TM?). |
Beta Was this translation helpful? Give feedback.
-
I can add that there is a pretty extensive OpenShift template in our repository, that produces a multi-tenant Registry deployment https://github.com/Apicurio/apicurio-registry/blob/master/distro/openshift-template/mt/apicurio-registry-mt-template.yaml . It has some additional complexity (e.g. it uses Envoy proxies) and is missing some private configuration, but it can be a good place to take a look. |
Beta Was this translation helpful? Give feedback.
We don't really have formal documentation (yet) for the multi-tenancy feature of Apicurio Registry (I assume you are interested in Registry, not Studio).
I could write a quick getting-started document if you think that would help. But we currently don't make the MT capabilities of Registry available to Red Hat customers of the on-prem registry product, and as a result we don't have strong end user docs on it. (just a bandwidth/priority thing)
From a high level, it's not a complicated feature. Essentially we just have a "tenantId" column on all our DB tables. And all you need to do is make sure that you make the tenantId available to the registry application on each request (this can be do…