Multitenant Kafka Ontologies

Owned by Onesait Platform
Last updated: 09/09/22
2 min read

Available from version 2.1.3-gradius

Regarding Kafka, it has 2 main purposes in Onesait Platform:

When Multitenancy is enabled, the use of Kafka changes slightly from the default behaviour. If the default tenant and vertical are being used, nothing changes compared to the two previous guides. However, if a different tenant or vertical are used, then the following changes are needed to be taken into account.

  • Kafka topic names related to ontologies

    By default there are 2 topic prefixes, one for the input topic (ONTOLOGY) and an other one for the notification topics (ONTOLOGY_OUTPUT). The topic names used will be as follows:

    • Input topic: <INPUT_PREFIX>-<VERTICAL_NAME>-<TENANT_NAME>-<ONTOLOGY_NAME>

    • Notification topic: <NOTIFICATION_PREFIX>-<VERTICAL_NAME>-<TENANT_NAME>-<ONTOLOGY_NAME>

      For example, let’s create an ontology called “MyOntology” to which we will activate both Kafka checks (input and notification) Next, we will create a Digital Client with a token belonging to another tenant other than the default one, but in the same vertical .


      If we want to insert data into the ontology via Kafka, the topic name to write to will be: ONTOLOGY-ONESAITPLATFORM-TENANT_RENE-MYONTOLOGY
      If we want to listen to the kafka notificiation topic, this will be named: ONTOLOGY_OUTPUT-ONESAITPLATFORM-TENANT_RENE-MYONTOLOGY


  • Security: Digital Clients and Kafka users
    Onesait Platform has its own Kafka Security plugin, where digital clients represent Kafka users.
    When connecting to Kafka, a JAAS file will be used, indicating the digital client name as “username” and a token as the “password”.
    If multitenant is enabled and we want to use a vertical or tenant other than the default ones, the "username" will no longer be just the name of the Digital Client, and instead it will follow the following nomenclature:<NAME_CLIENT_DIGITAL>-<NAME_VERTICAL>-<NAME_TENANT>
    Let's use the same example as the previous case. We will connect a client to Kafka (either to write data or to receive notifications) but using a tenant other than the default one, in this case “tenant_rene”. Following the rule described in this point, the “username” that we will have to use will be MyKafkaClient-onesaitplatform-tenant_rene and the JAAS “password” will be the token associated with said tenant:

     

This can be seen if we check the ACLs/permissions in Kafka for each topic and user: