Multi-Tenancy

Feature Description


ReSTNSX Multi-Tenancy allows administrators to create management portals for users to self manage their NSX objects and policies. When logged in as a tenant, users only see objects to which they have been assigned. For example, Tenant 1 can only see and edit a certain firewall rule section.

Minimum Release: 3.1 
Application: NSX-v, NSX T 
License: Enterprise 
Privilege level: Enterprise Admin

Setup


To view or create a ReSTNSX Tenant, navigate to Tenants from the left navigation menu to open the tenant management portal. On this page, existing tenants from all ReSTNSX defined data sources are displayed. Tenants are sorted by NSX Manager using tabs. Under each tab is a list of all defined tenants.

Tenant Creation


To create a new Tenant, click the Create Tenant button on the top left of the Tenant dashboard. This will open a new window and step through a create tenant wizard for defining settings and permissions of this new tenant.

The following is an example of creating a NSX T Policy-based Tenant.

The first page of the wizard requires a Tenant Name, the selection of a data source and the supporting options.

Tenant names are limited to 50 characters in length with no spaces or special characters.
  • Name – The name entered here is how ReSTNSX will present the tenant name on the dashboard. Additionally, the name used here is the domain in which the user will login to their portal. For example, a user defined under a Tenant named TenantNew will login to their portal as username@tenantnew
  • Organization / Department (optional) – Descriptors for the tenant that will be displayed on their dashboard
  • Location – Which NSX Manager to bind the Tenant to and where all their objects will reside.
  • Object Prefix (NSX-v) – By default, this field is populated with RMT- (for ReSTNSX MultiTenant) <TenantName>. This field can be overwritten. When a Tenant creates an object, these characters will automatically be pre-pended to the respective object’s name. This features allows system administrators to easily recognize objects within inventory. For NSX-v, objects with this prefix will auto align to the Tenant and automatically show in inventory for a Tenant to consume.
  • Object Prefix (NSX T) – By default, this field is populated with RMT- (for ReSTNSX MultiTenant) <TenantName>. This field can be overwritten or left blank. This features allows system administrators to easily recognize objects within inventory but does not effect the visibility of the object to the Tenant.
Tenant pre-fixes are not visible to the Tenant. Only non-Tenant system users will see the full object name.
  • NS Group / Security Group – This is a new or existing NSX Group for binding the Tenant’s apply-to in a dFW section. When a Tenant is created this group is created and automatically applied to a new dFW Section for this Tenant.
  • VM Tags (NSX-v) – Tags are used to align Virtual Machines to a Tenant space. When a VM has a VM Tag applied, it will automatically show in inventory for a Tenant to consume.
  • Security Tags (NSX T) – Tags are used to align all objects to a Tenant, regardless of the object name (object prefix). Any object with a Tenant tag will automatically show in inventory for a Tenant to consume. Reference an existing using the drop-down or create a new tag.
  • Layer 3 Section – This is where the Tenant’s dFW rules will be placed and the Security Group apply-to will be enforced. Upon creating a Tenant, a new Section with the name of the Tenant (including the object prefix entered) is created with a default permit any/any with the apply-to of the Security Group selected previously. Selecting an existing section is only supported in NSX T.
  • Copy Settings – Allows Administrators to copy the Tenant settings (Login Banner, Contact information, etc…) to a new Tenant they are creating. This feature does not currently copy Tenant objects.
Since NSX T supports tags for every object type, any object created with a tag of the Tenant Name and scope of ReSTNSX Multi-Tenant will automatically align to the Tenant space. Every object that is created by a Tenant is automatically assigned their tag and scope.

Optional Settings

  • Login Banner – For each Tenant login, a banner of text will be displayed and must be acknowledged to continue to login to the Tenant space.
  • Support Information – Contact details that will be available in the Help button in the Tenant space. This feature allows each Tenant to have their own custom details for contacting an organization’s support team.

The next step is define a base user and permissions:

New in v4.0 is the ability to align a Tenant user to an AD group.

Scenarios:

  • Local user (non-AD) tenant, the login is username@tenant and select “Local Account”
  • AD user, tenant or otherwise, enter the AD username and select the domain from the dropdown. As an AD user, we search group memberships to define your role. If the user is in a group mapped to a role, that user is logged in as that role. If group to role mapping in ReSTNSX does not exist but the user is in a group mapped to a tenant, the user will get logged in as a user for that tenant
  • As a tenant AD user, can only belong to one AD group membership for tenant users

To setup Tenant AD integration, perform the following steps:

  1. Configure Active Directory Authentication under Admin > Users and Policy. Enter your domain, LDAP URL, Base DN and map an AD group to a ReSTNSX role for non-tenant AD access.
  2. On the third page of tenant setup wizard, specify a local tenant admin user account, then select the domain created earlier in the previous step (or Local Accounts Only) from the dropdown list.
  3. Once selected, enter the AD group name (case sensitive) for the tenant user and tenant admin roles.

Once this is complete, the user can then log in as a domain user by selecting the domain dropdown on the login page.

  • Administrator – The username entered here is the Tenant administrator. This user can login as a Tenant with the same permissions as the other Tenant users except this individual can add/remove other Tenant users.
  • Permissions – Select one or more areas you wish to grant access to within the Tenant space. In this example, all users in this Tenant space – regardless of their system level permissions – will only be able to manage their dFW policies.
The permissions are applied to the Tenant Admin and all users defined in the Tenant space
Permissions can be changed after Tenant creation by the Enterprise Administrator by navigating to the Tenant Dashboard > Select the Edit icon next to the Tenant Name

Upon clicking Create Tenant, ReSTNSX creates or references the NSX objects defined in Step 1 of the Create Wizard. The Tenant is now fully provisioned and can be seen on the Tenant Admin Dashboard

In our example using NSX T Policy, a new NS Group was created using the specified prefix and assigned membership criteria to auto-align NSX objects to the group. This group is used as the apply-to in dFW.

Tenant Login (Enteprise Administrator)


As an Enterprise Administrator of ReSTNSX, full permissions to the Tenant space are granted without having to login to the Tenant space. By clicking the Tenant Name on the Tenant Dashboard, the Enterprise Administrator is simulating a login but will full permissions. In this mode, objects and policies can be managed with no restrictions and full access to the main system menus as shown to the left below:

Tenant Login (User)


Tenant users connect to the same IP / FQDN as the main ReSTNSX appliance. The login credentials will restrict their access to only the previously defined Tenant space. In this example, the Tenant Admin is logging in by using the username@tenantname syntax.

Upon login, the user is presented with a similar dashboard as seen through the Enterprise Administrator view but is limited to the functionality previously defined. In this example, only dFW management was enabled. Note the absence of the main system links on the left menu and data source selection.

Tenant users are provided a query pull-out tab in the upper left that is similar to the main system query except the results are filtered to only show items that belong this a particular Tenant space.

Navigating to the Firewall management section reveals only this Tenant’s Section. In this example, the default permit any/any is present but is not editable by the user. Additionally, the apply-to is hidden.

The default Tenant rule must remain as ‘Tenant-Default’ to remain read only to the Tenant. If the name is changed, the Tenant will be able to modify and move the rule with the same section. The Apply-to is not visible or editable to the Tenant.

When a user adds a new rule, it is automatically placed above the default Tenant rule. The source, destination, services and context profiles (if applicable), Edit options are filtered to only show the objects that align to the Tenant – For NSX-v, the Tenant Prefix and for NSX T, the tag and scope.

Removing Tenants


To delete a Tenant, click the red x on the main Tenant Dashboard next to the Tenant Name. Clicking this link will navigate to the following page. Upon deletion, any object created by ReSTNSX or the user will be removed from NSX Manager.

Was this article helpful?
Dislike 0
Views: 255