How does the Multitenant work in the Platform?

EN | ES

Multitenant Support on the Platform starts from Release 1.6.0-empire.

However, it is a functionality in continuous improvement so the use of updated versions is recommended.

Introduction

Multitenant is a principle of software architecture in which a single instance of the application is capable of serving multiple clients or organizations (tenant or instance).

This model differs from architectures with multiple instances where each organization or client has its own installed instance of the application since in a multitenant architecture the application can virtually partition its data and configuration so that each client has a virtual instance adapted to its requirements.

You can find more details about Multitenant, its advantages, etc., in this entry: A Look at Multitenant: What it is and how it is supported on the Platform

Multitenant Support in Platform

The Multitenant Platform functionality is supported on 2 concepts:

  • Vertical: represents a specific product and project. Imagine the deployment of Platform on an organization that offers products in SaaS mode: In this case, we could have different verticals deployed on an instance, for example Vertical Smart Home, Vertical Waste Management, ...

  • Tenant: represents a client to whom the organization serves its products, for example we could offer the Smart Home solution to Carrefour, Leroy Merlin, …

With the support of Onesait Platform with a single platform instance we could serve several verticals and tenants.

The platform capabilities in terms of multi-tenant mode are thus reflected:

  • Each Vertical has its own ConfigDB, or in other words, each Vertical can create its own platform concepts independently from the rest, that is, its ontologies, APIs, DataFlows, microservices, dashboards,...

  • Each tenant has its own RealTimeDB, so each tenant's data is stored independently and not mixed.

  • Users are general to the whole platform instance and can be associated to vertials and tenants.

As we will see later on, the platform manages all this in a transparent way, abstracting the user from the complexities.

In the following diagram, we can see an example of a case of use of the platform in multitenant mode:

Considerations on the Installation

New installation with version 1.6.0-Empire or higher

When a new installation is made, without data in the ConfigDB, the UPDATE_MODE_MULTITENANT environment variable must be set to false. If this variable is not set to false, warning messages will appear.

This variable is designed to upgrade environments that already have data, so that existing data is migrated to the master database (users, tokens...).

Upgrade to version 1.6.0-Empire or higher

If an environment is upgraded to this version, you do not need to specify anything.

Multitenant environment configuration

To use the environment in multitenant mode, simply indicate the environment variable MULTITENANCY_ENABLED as 'true' in the Controlpanel and OAuth Server modules:

 

Once enabled, there is a global platform user, with PLATFORM_ADMIN role, in charge of creating the verticals.

Basic Operation

Vertical creation

If you enter with the user platform_admin, you will see a screen with the list of platform verticals:

To create one, go to create and choose the vertical’s name:

You must copy the configuration database schema’s name, then launch the config-init service, with the environment variable CONFIGDB_SCHEMA with that value:

This will load the basic configuration data for the new vertical.

In addition, an administrator user will be created for the vertical, following the format ‘administrator_ {vertical}’, iIn this case it will be administrator_waste, with the default password OpenP2019! and a default client for vertical development, with development format.

With this user, you can create clients or tenants for the vertical, as well as platform users and assign them to a client.

Creating Tenants of a Vertical

With the user-administrator of the vertical, you can create tenants. Go to the menu option ‘Tenant Management’, under the Administration level:

To create a new one, select Create and fill in the information:

A developer user assigned to the client is created by default. In this case lugo_developer will be created for the tenant smart-lugo of the vertical waste.

If you enter each client/tenant, you can see a list of its users:

Adding an existing Tenant to another vertical

For this example, the Carrefour client already exists in the Prosumers vertical, so that, if you want it to also be a Waste customer, you will need to re-use the platform_admin user, and go to the Waste vertical, then to the 'Tenants' tab .

Here you click ‘Add’ and add Carrefour.

Now Carrefour users will be able to access the Prosumers vertical and Waste.

User Creation for a Tenant

To create users and associate them with a tenant, with the administrator of the vertical, the process is the same as always, only this time you will see one more option when creating it: a combo with that vertical’s clients.

Select the one you want to assign and create it:

Bear in mind that a platform user can only be associated with a single client, although, due to this, they can access different verticals.

Considerations when a Client is associated with several verticals

For this example, as Carrefour is associated with Waste and Prosumers, when you access the platform either through the Control Panel or through Identity Manager OAuth2, you need to specify the vertical to which we want to access.

If you access with device or API tokens, you don’t need to perform any additional action, as the platform univocally relates these tokens with: vertical, client and user.

Control Panel

If you enter through the Control Panel, after entering your password you will be assigned a provisional role with authorization only to choose the vertical you want to access - so you will see a screen with a combo to choose the vertical. Select it and log in:

As you have noticed in previous captures, when the platform operates in multitenant mode, the vertical in which you are working is always specified in the upper right bar :

Identity Manager OAuth 2.0

For Oauth 2, you need to specify an additional “vertical” parameter, with the name of the vertical you want to access. If you do not specify it and your user is associated with several verticals, you will be given a token with a provisional role that will not have any authorization level to operate with.

However, if you add the vertical, it will assign you the right role: