Understanding ViPR Controller Multi-Tenant Configuration

Table of Contents

ViPR Controller multi-tenant configuration

ViPR Controller can be configured with multiple tenants, where each tenant has its own environment for creating and managing storage which cannot be accessed by users from other tenants. The default or root tenant is referred to as the provider tenant and a single level of tenants can be created beneath it. This article describes the ViPR Controller tenant model and describes how ViPR Controller can be configured to use multiple tenants.

The following tenant scenarios are supported:
Enterprise single tenant
An enterprise single tenant ViPR Controller configuration provides the same storage provisioning and management environment to all of its users. All users belong to the provider tenant.
Enterprise multi-tenant
In an enterprise multi-tenant environment, an organization creates additional tenants for different departments.
Enterprise multi-tenant as Managed Service Provider
In a managed service provider scenario, a company (Acme, for example) outsources its storage and compute requirements to a managed service provider. The service provider company uses ViPR Controller to create an environment in which Acme can create storage and attach it to hosts located in the data center of the service provider.
The service provider can offer this service to a number of companies, each one assigned to its own ViPR Controller tenant.

For information to add a new tenant to an existing ViPR Controller virtual data center see ViPR Controller User Interface Tenants, Projects, Security, Users and Multisite Configuration Guide, which is available from the ViPR Controller Product Documentation Index.

Back to Top

Multiple tenant configuration overview

Each tenant is created and configured from resources available to the virtual data center in order to provide a custom environment that can be managed and further customized at the tenant level.

The creation and configuration of a multi-tenant environment requires ViPR Controller administrators to perform the following:
  • Create new tenants. (Requires the VDC Security Administrator)
  • Map users into the tenant based on their AD/LDAP domain, groups to which they are assigned, and attributes associated with their user account. (Requires the VDC Security Administrator role)
  • Assign users to roles within a tenant. (Requires the VDC Security Administrator role or the Tenant Administrator role for the tenant)
  • Restrict access to provisioning resources based on tenant. For example, certain virtual arrays and/or virtual pools might only be accessible to a specific tenant. (Requires the System Administrator role)

Where a single tenant (the provider tenant) exists, all tenant users have the same access to the ViPR Controller virtual data center storage provisioning environment. By default, all users associated with an authentication provider are mapped to the tenant. However, additional mappings can apply finer grained control to the selection of users.

Back to Top

Provider tenant roles, and sub-tenants

The Provider tenant is the default tenant created by the ViPR Controller.

Upon initial login to ViPR Controller, the provider tenant is created. Any tenant created in ViPR Controller after the provider tenant is a sub-tenant for example:

  • In the ViPR Controller API, this will appear as follows: /tenants/{provider_tenant_id}/subtenants
  • In the ViPR Controller UI, the provider tenant, and sub-tenants will appear at the same level in the Tenant list which appears in the Tenant Settings > Tenant page.

Assigning Tenant Administrator to the provider tenant

Initially, the Security Administrator for the VDC is the only user that can configure the provider tenant. Configuring the provider tenant, includes assigning a Tenant Administrator to the provider tenant. Once a Tenant Administrator is assigned to the provider tenant, the Tenant Administrator for the provider tenant can do all of the tenant level operations including assigning tenant roles to the other provider tenant users and access the virtual data center resources configured for the provider tenant.

Back to Top

Tenant Administrator roles

The Tenant Administrator can perform the following operations for the tenants assigned to them:

  • View the tenants, and tenant attributes.
  • Assign roles to users in the tenant.
  • Modify the tenant name, and description.
  • Perform administration tasks for the tenant, such as creating a project, or editing the service catalog.

The Tenant Administrator role can be assigned to a member of the sub-tenant. The Security Administrator for the VDC and Tenant Administrator for the subtenant can assign a Tenant Administrator role to the other users mapped to the same subtenant or to the users mapped to the provider root tenant.

Back to Top

Understanding the mapping of users into tenants

Users are added to ViPR Controller using authentication providers. When an authentication provider is created in ViPR Controller, one or more AD/LDAP domains are supplied and are used to provide ViPR Controller users. A domain can be mapped to a single tenant or can provide users for multiple tenants.

An authentication provider usually specifies a whitelist group which defines the default group of users who will be available as ViPR Controller users to the whole VDC. In addition to the whitelisted group, the available domain users can be mapped based on their group membership or based on attributes defined in their AD/LDAP entry.

By default, the provider tenant assumes that you want all users made available by the authentication provider. If that is not true you can use other mappings. Sub-tenants below the provider tenant must specify user mapping; at a minimum, a domain must be specified.

The API and CLI provide the ability to specify mappings when a new tenant is registered and provide support for updating the mappings for all tenants, including the provider tenant. Creating and editing a tenant are functions of a Security Administrator. From the ViPR Controller UI, the user mappings for a tenant are specified when you create or edit a tenant.

You must be a Security Administrator to create subtenant, modify a provider tenant and subtenants user mappings and quota.

Back to Top

Assignment of roles by group

VDC and tenant roles can be assigned to the Users or Groups in the authentication provider or User Groups in the ViPR Controller.

When using group assignment, you must remember that a group can be assigned to more than one tenant, and group members can be mapped into different tenants based on attributes. For example, the mappings for two tenants could both include users from the same group, in this case, group1:
Tenant 1
domain=emc.com, group=group1 and attr1=xyz
Tenant 2
domain=emc.com, group=group1 and attr1=abc
For this reason, when assigning roles to groups, ViPR Controller does not validate group membership, but allows for any valid AD, LDAP, or ViPR Controller User Groups to be assigned to a role.

This means that despite the fact that a group has been assigned to a role, some of its members may not be eligible for assignment to that role because they are mapped into a different tenant. When a user who is a member of the group logs in, if they are not a member of the correct tenant, they will not be granted the role to which the group has been assigned.

For example, only users in the provider tenant can be assigned to VDC roles. So if a group that contains provider tenant and members of other tenants, only the provider tenants members will be granted the VDC role when they log in.

Similarly, a group can be assigned to a tenant role for a selected tenant, but only users who are eligible for the role will actually be granted that role when they log in. For example, to be granted the Tenant Administrator role, the user would have to be a member of the tenant for which the group assignment was made. For other tenant roles, the user would have to belong to the tenant for which the assignment was made.

Back to Top

Multi-tenant operation across multiple ViPR Controller sites

If ViPR Controller sites are linked, a tenant created in one ViPR Controller site will automatically be available in other linked ViPR Controller sites.

Tenants, tenant roles, and projects are shared across sites, so a user who is assigned to a tenant role will be granted that role at whichever linked site they log in at and can see the same projects. Services and the service catalog are not replicated and are specific to a VDC.

Virtual arrays and the block volumes and file systems created as a result of performing provisioning operations are VDC resources and so are not visible across sites.

For information on configuring multiple linked sites see ViPR Controller User Interface Tenants, Projects, Security, Users and Multisite Configuration Guide, which is available from the ViPR Controller Product Documentation Index.

Back to Top

Set up the VDC for a tenant

You can add access control to virtual arrays and virtual pools to make them available to specific tenants.

A virtual array comprises array endpoints and host endpoints interconnected by a SAN fabric or an IP network. The virtual array can comprise both fibre channel and IP networks. In this way different array ports can be configured into different virtual arrays, allowing a physical array to contribute to more than one virtual array.

This partitioning of physical arrays into virtual arrays, coupled with the ability to assign access to specific tenants, provides control over the storage provisioning environment made available to a tenant.

Even finer grained control can be obtained by assigning specific virtual pools to tenants. For storage provisioning purposes, the physical storage pools of a virtual array are offered as virtual pools based on their performance and protection characteristics. Restricting access to a virtual pool to specific tenants could mean that if a virtual pool is configured to use a particular array type, restricting access to the virtual pool can prevent a particular tenants from accessing the array. Similarly, you could restrict access to a pool that provides a particular performance characteristic, such as SSD.

Back to Top

Set up the tenant for end users

Once a tenant has been created and configured, there are a number of Tenant Administrator tasks that can be performed. The tasks can be performed by the Tenant Administrator for the tenant.

The following administration tasks can be performed in preparation for using the tenant for block and file provisioning operations.
  • Projects can be created and tenant users given access to the project.
  • The service catalog can be configured by arranging services in categories. Tenant users can be assigned access to the allow categories or individual services.
  • Hosts, clusters, and vCenters for the tenant can be added.
  • Consistency groups can be created.
  • Execution windows can be created.
Back to Top