Solved: vCAC 6.0 - multi-tenant configuration with separat...

solgaeDK · ‎01-27-2014

Hello,

I have been playing around with vCAC 6.0 on my lab environment, and have some questions related to multi-tenancy configuration with separate infrastructure.

In the documentation, there is a section that explains the difference between single-tenant and multi-tenant configuration, and within multi-tenant, the section explains two different configuration - one with shared infrastructure configuration, and one with separate infrastructure on each tenant.

I was able to install all the vCAC 6.0 components, and have been playing around with assigning Tenant Admin and Infrastructure (IaaS) Admin permissions on different tenant. I added the vSphere endpoint (vCenter) to the default tenant (vsphere.local) configuration, and then created the fabric group. Then I logged out, browse to the URL of the other tenant (calling it "LAB Tenant"), and logged in as an IaaS Admin. What I found was that the IaaS Admin from LAB Tenant could see and edit the configuration details of the endpoint/fabric group/credentials configured by IaaS Admin in default tenant. Surely, the IaaS Admin from the other tenant shouldn't be able to mess around with the settings done by IaaS Admin in the default tenant?

I also found that when I added an endpoint/fabric group/credential config for a non-default tenant (calling it "Tenant 1"), and then logged in as an IaaS Admin from another tenant (again, non-default, calling it "Tenant 2"), the IaaS Admin from Tenant 2 was able to edit the endpoint/credentials/fabric group configuration made by IaaS Admin in Tenant 1. This brings me the question of just how isolated the infrastructure configuration is between tenants in vCAC. Is the Infrastructure configuration supposed to be shared like this?

Thanks in advance

igorstoyanov · ‎01-27-2014

The behavior that you described is the expected behavior of the system. Currently, there is very strong tenant isolation in the service catalog, end user functionality and business groups. However, the infrastructure(endpoints, fabric groups, credential) is shared among tenants. I believe that separate infrastructure is more in reference to logical configuration of one endpoint, fabric group/reservations to be used only by one tenant and another endpoint/reservations to be used by another tenant. This should be enforced on a fabric level configuration and it is not enforced by the system. Again, the isolation would be achieved at the end user/service catalog level, where users from one tenant would be able to use/request the resourcea/reservations configured for their tenants only.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

View solution in original post

igorstoyanov · ‎01-27-2014

The behavior that you described is the expected behavior of the system. Currently, there is very strong tenant isolation in the service catalog, end user functionality and business groups. However, the infrastructure(endpoints, fabric groups, credential) is shared among tenants. I believe that separate infrastructure is more in reference to logical configuration of one endpoint, fabric group/reservations to be used only by one tenant and another endpoint/reservations to be used by another tenant. This should be enforced on a fabric level configuration and it is not enforced by the system. Again, the isolation would be achieved at the end user/service catalog level, where users from one tenant would be able to use/request the resourcea/reservations configured for their tenants only.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

solgaeDK · ‎01-27-2014

Got it - so if you want tenants to manage separate infrastructure, you would create different fabric groups for each tenant, and for each group, assign fabric admins from the tenant that the fabric group would belong to?

igorstoyanov · ‎01-28-2014

Yes, this is the overall the approach although there is not complete isolation on this level. Overall, the IaaS administrator is system level role (shared across all tenants). The IaaS admin is responsible for: - Credential Mgmt. - Endpoint Config - Proxy Agent Config - Fabric Group Config (adding Fabric admins) The Fabric Group could be used as separation for the tenants and business group (rather the reservation created by the fabric groups). So, after discovering the the endpoints the next step is to aggregate resources into one or more Fabric Groups. If you have a single tenant, one fabric group may be enough (although it could be segregated by business groups). The Fabric Groups needs one or more administrators that will manage the fabric groups. This could be the IaaS admin but in the case we are talking should be different user for different tenants (you will probably need to login with different tenant for every fabric group). Once the fabric admins are assigned, the IaaS admin also allocate resources to these fabric groups based on which, the fabric admins could create reservation and map it to one or more business groups in the current tenant.

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

lisun · ‎02-11-2014

Hi，

I have create two Tenant(tenants and test), although logon any Tenant Fabric admin user.

We can see that two reservation for tenanta and test , Why may see other renters' resources?

igorstoyanov · ‎02-11-2014

Unfortunately, as I said above, there is no complete isolation on the fabric level. The tenant isolation level starts from the business groups. Just one clarifying question - is this user member of the two tenants (the two tenants sharing the same AD) or the fabric admin is part of only one tenant?

Visit http://blogs.vmware.com/orchestrator for the latest in Cloud Orchestration.

lisun · ‎02-11-2014

Thanks for your prompt reply.

Tenanta and test is separate of two AD Domain, fabric admin configuration in each tenant.

I understand the document tenant section , the tenant A, B, C just to distinguish between the different resource management.

All

vCAC 6.0 - multi-tenant configuration with separate infrastructure