Chapter 11. Multitenancy
Red Hat 3scale allows multiple independent instances of 3scale tenants to exist on a single On-Premises deployment. A master administrator monitors and manages these tenants through a special master admin portal and API endpoints.
Tenants operate independently from each other, and cannot share information between themselves. They are administered by tenant administrators, who can perform the standard administrative actions under their tenancy. For details on tenant administrator operations, refer to the Accounts guide.
11.1. Master admin portal
The master administrator has access to the master admin portal. Similar to the standard admin portal, the master admin portal contains information about all tenants in a deployment and allows for administration of tenants and users through a unique tenant page.
11.2. Accessing the master admin portal
Access the master admin portal using the master admin portal credentials and URL defined and output during the on-premises installation process.
The master admin portal URL consists of the
MASTER_NAME prepended to the
-admin string subdomain:
The master admin portal can be identified by the Master flag in the upper left corner.
11.3. Adding a tenant through the master admin portal
- Log in to your master admin account
Select Tenants → Create
Enter the required information:
- Select the Create button to create the user
Once you select Create, Red Hat 3scale creates a tenant subdomain for your tenant based on the Organization/Group name.
11.4. Managing tenant accounts through the master admin portal
- Log in to the master admin portal
Navigate to the Tenants page
- Select the group or organization you wish to manage
From the Tenants page, you can perform administrative actions, such as impersonating a tenant admin or suspending a tenant account. You can also manage the following tenant account attributes:
- group memberships
- organization/group name
11.5. Managing tenant accounts through API calls
You can manage tenant accounts though master admin API calls. For information on master admin API calls, Refer to the
Master API section of the
3scale API Docs, available in the upper left corner of the master admin portal.
11.6. Understanding multitenancy subdomains
As a result of multiple tenants existing under the same OpenShift cluster domain, individual tenant names prepend the OpenShift cluster domain name as subdomains. For example, the route for a tenant named
user on a cluster with a domain of
example.com appears as:
A standard multitenant deployment will include:
- A master admin user
A master admin portal route, defined by the
- A tenant admin user
A tenant admin portal route, defined by the
A tenant AMP route:
Tenant routes for the production and staging built-in APIcast gateway:
<TENANT_NAME>-<!!! Not sure>-apicast-staging.<OCP_DOMAIN> <TENANT_NAME>-<!!! Not sure>-apicast-production.<OCP_DOMAIN>
This example illustrates the output users and routes of a standard multitenant deployment of 3scale:
---- --> Deploying template "3scale-project/3scale-api-management" for "amp.yml" to project project
3scale API Management --------- 3scale API Management main system
Login on https://user-admin.3scale-project.example.com as admin/xXxXyz123 ... * With parameters: * ADMIN_PASSWORD=xXxXyz123 # generated * ADMIN_USERNAME=admin * TENANT_NAME=user ... * MASTER_NAME=master * MASTER_USER=master * MASTER_PASSWORD=xXxXyz123 # generated ... --> Success Access your application via route 'user-admin.3scale-project.example.com' Access your application via route 'master-admin.3scale-project.example.com' Access your application via route 'backend-user.3scale-project.example.com' Access your application via route 'user.3scale-project.example.com' Access your application via route 'api-user-apicast-staging.3scale-project.example.com' Access your application via route 'api-user-apicast-production.3scale-project.example.com' Access your application via route 'apicast-wildcard.3scale-project.example.com' ... ----
Additional tenants added by the master admin will be be assigned a subdomain based on their names.