Chapter 11. Multitenancy

Red Hat 3scale allows multiple independent instances of 3scale tenants to exist on a single On-Premises deployment. A master administrator monitors and manages these tenants through a special master admin portal and API endpoints.

Tenants operate independently from each other, and cannot share information between themselves. They are administered by tenant administrators, who can perform the standard administrative actions under their tenancy. For details on tenant administrator operations, refer to the Accounts guide.

11.1. Master admin portal

The master administrator has access to the master admin portal. Similar to the standard admin portal, the master admin portal contains information about all tenants in a deployment and allows for administration of tenants and users through a unique tenant page.

11.2. Accessing the master admin portal

Access the master admin portal using the master admin portal credentials and URL defined and output during the on-premises installation process.

The master admin portal URL consists of the MASTER_NAME prepended to the -admin string subdomain:

<MASTER_NAME>-admin.<OCP_DOMAIN>

The master admin portal can be identified by the Master flag in the upper left corner.

Master tenant flag

11.3. Adding a tenant through the master admin portal

  1. Log in to your master admin account
  2. Select TenantsCreate

    Tenants Page
  3. Enter the required information:

    1. Username
    2. Email
    3. Password
    4. Organization/Group name

      Create Tenant
  4. Select the Create button to create the user

Once you select Create, Red Hat 3scale creates a tenant subdomain for your tenant based on the Organization/Group name.

11.4. Managing tenant accounts through the master admin portal

  1. Log in to the master admin portal
  2. Navigate to the Tenants page

    Tenants page
  3. Select the group or organization you wish to manage

From the Tenants page, you can perform administrative actions, such as impersonating a tenant admin or suspending a tenant account. You can also manage the following tenant account attributes:

  • applications
  • users
  • invitations
  • group memberships
  • organization/group name
Master tenant overview

11.5. Managing tenant accounts through API calls

You can manage tenant accounts though master admin API calls. For information on master admin API calls, Refer to the Master API section of the 3scale API Docs, available in the upper left corner of the master admin portal.

Master API section

11.6. Understanding multitenancy subdomains

As a result of multiple tenants existing under the same OpenShift cluster domain, individual tenant names prepend the OpenShift cluster domain name as subdomains. For example, the route for a tenant named user on a cluster with a domain of example.com appears as:

user.example.com

A standard multitenant deployment will include:

  • A master admin user
  • A master admin portal route, defined by the MASTER_NAME parameter:

    <MASTER_NAME>-admin.<OCP_DOMAIN>
  • A tenant admin user
  • A tenant admin portal route, defined by the TENANT_NAME parameter:

    <TENANT_NAME>-admin.<OCP_DOMAIN>
  • A tenant AMP route:

    <TENANT_NAME>.<OCP_DOMAIN>
  • Tenant routes for the production and staging built-in APIcast gateway:

    <TENANT_NAME>-<!!! Not sure>-apicast-staging.<OCP_DOMAIN>
    <TENANT_NAME>-<!!! Not sure>-apicast-production.<OCP_DOMAIN>
    This example illustrates the output users and routes of a standard multitenant deployment of 3scale:
    ----
    --> Deploying template "3scale-project/3scale-api-management" for "amp.yml" to project project
    3scale API Management
    ---------
    3scale API Management main system
         Login on https://user-admin.3scale-project.example.com as admin/xXxXyz123
         ...
         * With parameters:
          * ADMIN_PASSWORD=xXxXyz123 # generated
          * ADMIN_USERNAME=admin
          * TENANT_NAME=user
          ...
          * MASTER_NAME=master
          * MASTER_USER=master
          * MASTER_PASSWORD=xXxXyz123 # generated
          ...
    --> Success
        Access your application via route 'user-admin.3scale-project.example.com'
        Access your application via route 'master-admin.3scale-project.example.com'
        Access your application via route 'backend-user.3scale-project.example.com'
        Access your application via route 'user.3scale-project.example.com'
        Access your application via route 'api-user-apicast-staging.3scale-project.example.com'
        Access your application via route 'api-user-apicast-production.3scale-project.example.com'
        Access your application via route 'apicast-wildcard.3scale-project.example.com'
        ...
    ----

Additional tenants added by the master admin will be be assigned a subdomain based on their names.