Multi-Tenancy CLI

With multi-tenancy, managing a cluster or projects/tenants requires unique authentication and authorization. The basic entity is the security boundary, and cluster management and project management are separate entities.

As part of multi-tenancy authentication and authorization:

All API/CLI commands have strict permission handling.
API access and JWT token generation is integrated into lbcli.
A JWT bearer token (public-key) sign-in is required.
The API traffic requires mandatory TLS encryption.
There is an audit trail for all API/CLI actions.

Role Based Access Control (RBAC) for multi-tenancy includes the following roles:

Cluster Admin
Cluster Viewer
Tenant Admin
Tenant Viewer

Multi-Tenancy and Lightbits

Multi-tenancy features close integration with the Lightbits Kubernetes CSI plug-in, including:

One or more K8s clusters per tenant.
One or more K8s namespaces per tenant within a K8s cluster.
Fine-grained tenant separation based on K8s security within a K8s namespace.

The Lightbits K8s plugin features CSI credentials handling as well, including:

Full support for centralized and secure storage provider credentials handling, rotation, and revocation.
Credentials (JWTs) stored as K8s “secrets”.
CSI sidecars that provide the CSI plugin with the right JWT for every CSI call.

OpenStack integration is only with a single tenant.
Multi-tenancy separation is only for the control path (the data path is managed via ACLs and IP ACLs).
JWTs have an expiration (30 days is the default), and can be set as desired.
For single tenants, the cluster admin JWT can be used for all actions.

Make note of the system:cluster-admin JWT generated by the installation (this will be different for every installation; it is only an example.)

Bash
    
 
$ export SYSTEMJWT=eyJhb...s4u-w
Copy

Key Features

"Projects" (tenants) support

Strict separation at the API/CLI level (resource names, visibility).
Lightbits API/CLI management by admins separate from tenants' access.

Authentication (authN)

All accesses authenticated by pubkey signed JWT bearer tokens.
Integration with K8s secrets management, LB CSI plugin.
API access JWT tokens generation integrated into lbcli.

Authorization (authZ)

Every API/CLI action explicitly authorized by the policy module.

Role Based Access Control (RBAC)

Access rights granted based on one or more of the roles assigned to an account.
Roles assigned from a limited number of predefined roles.

Common Multi-Tenancy CLI Examples

Create a new project (as cluster-admin). Note the encrypted (https, port 443) endpoints and usage of the system jwt.

Bash
    
[server00]:~# lbcli --jwt $SYSTEMJWT --endpoint https://localhost:443 create project --name myproj --description "my project"Name      Descriptionmyproj    my project
Copy

List projects (as cluster-admin):

Bash
    
 
[server00]:~# lbcli --jwt $SYSTEMJWT --endpoint https://localhost:443 list projectsName      Descriptiondefault   This is the default project descriptiona         a descriptionb         b descriptionmyproj    my project
Copy

Create a public/private RSA256 key pair:

Bash
    
[server00]:~# mkdir -p ${HOME}/.lightos_keys && ssh-keygen -t rsa -f ${HOME}/.lightos_keys/mykey -q -N "" -m PKCS8 && openssl rsa -in ${HOME}/.lightos_keys/mykey -pubout -out ${HOME}/.lightos_keys/mykey.pemwriting RSA key[server00]:~# ls ${HOME}/.lightos_keysmykey  mykey.pub  mykey.pem
Copy

Create the first credential in the project (as cluster-admin):

Bash
    
[server00]:~# lbcli --jwt $SYSTEMJWT --endpoint https://localhost:443 create credential --id=c1 --project-name myproj --type rsa256pubkey ${HOME}/.lightos_keys/mykey.pemID        Typec1        RS256PubKey
Copy

List credentials in the project (as cluster-admin):

Bash
    
 
[server00]:~# lbcli --jwt $SYSTEMJWT --endpoint https://localhost:443 list credentials --project-name myprojID        Typec1        RS256PubKey
Copy

Create a project:admin JWT for new project:

Bash
    
[server00]:~# lbcli create jwt --key-id myproj:c1 --key ${HOME}/.lightos_keys/mykey --role myproj:admin --issuer=root@example.com --subject=tenant-1eyJh...Nmsw[server00]:~# export MYPROJADMINJWT=eyJh...Nmsw
Copy

Create a volume in the project as project:admin:

Bash
    
[server00]:~# lbcli --jwt $MYPROJADMINJWT --endpoint https://localhost:443 create volume --name vol1 --size 1G --replica-count 3 --acl ALLOW_NONE --project-name myprojName   UUID    State  Protection State   NSID  Size  Replicas  Compression  ACL        Rebuild Progressvol1  cdf25ac7-3829-4865-bad6-befa1ded877b   Creating   Unknown  0  954 MiB   3    false         values:"ALLOW_NONE"
Copy

Create project:viewer JWT for a new project:

Bash
    
[server00]:~# export MYPROJVIEWERJWT=`lbcli create jwt --key-id myproj:c1 --key ${HOME}/.lightos_keys/mykey --role myproj:viewer`
Copy

List volumes in the project as project:admin or project:viewer:

Bash
    
[server00]:~# lbcli --jwt $MYPROJADMINJWT --endpoint https://localhost:443 list volumes --project-name myprojName   UUID   State   Protection State   NSID   Size   Replicas Compression  ACL      Rebuild Progressvol1      cdf25ac7-3829-4865-bad6-befa1ded877b   Available   FullyProtected     1         954 MiB   3          false         values:"ALLOW_NONE"    None[server00]:~# lbcli --jwt $MYPROJVIEWERJWT --endpoint https://localhost:443 list volumes --project-name myprojName   UUID   State   Protection State   NSID   Size   Replicas  Compression  ACL     Rebuild Progressvol1      cdf25ac7-3829-4865-bad6-befa1ded877b   Available   FullyProtected     1         954 MiB   3          false         values:"ALLOW_NONE"    None
Copy

Last updated on

Was this page helpful?