Multi-Tenants Function

With multi-tenancy, managing a cluster or projects/tenants requires unique authentication and authorization. The basic entity is the security boundary, and cluster management and project management are separate entities.

Lightbits supports multiple projects. This method supports multi-tenant scenarios. Each tenant can have one or more projects, and the purpose of isolation is achieved by granting different management permissions to different projects. The Cluster Admin has the authority to manage and access all projects. Related concepts are introduced as below.

Projects (Tenants) Support:

Strict management isolation at the API/CLI level (resource names, visibility, etc.)

Authentication (authN):

All management access needs to be authenticated by pubkey signed JWT bearer tokens.
You can connect with the K8S secrets management interface through the Lightbits CSI plugin.

Authorization (authZ):

Each API/CLI operation is explicitly authorized by the policy module.

Role Based Access Control (RBAC):

Access rights are granted to different accounts based on different predefined roles.
Roles are a series of predefined sets with different permissions. We currently support Admin and Viewer.

Create two different projects with the following commands.

Bash
    
 
lbcli create project --name test-proj-a --description "test project A"lbcli create project --name test-proj-b --description "test project B"
Copy

View the projects.
1. lbcli list projects
Create a new pair of public/private RSA256 keys.
1. mkdir -p ${HOME}/.lightos_proj_a_keys && ssh-keygen -t rsa -f ${HOME}/.lightos_proj_a_keys/projakey -q -N "" -m PKCS8 && openssl rsa -in ${HOME}/.lightos_proj_a_keys/projakey -pubout -out ${HOME}/.lightos_proj_a_keys/projakey.pem``
ls ${HOME}/.lightos_proj_a_keys 3. projakey projakey.pem projakey.pub
Create an access credential for Project A (as cluster-admin).
1. lbcli --endpoint https://localhost:443 create credential --id=c1 --project-name test-proj-a -- type rsa256pubkey ${HOME}/.lightos_proj_a_keys/projakey.pem
2. ID Type
3. c1 RS256PubKey
Create a JWT with project:admin permissions for the project test-proj-a.
1. lbcli create jwt --key-id test-proj-a:c1 --key ${HOME}/ .lightos_proj_a_keys/projakey --role test-proj-a:admin --issuer=root@example.com --subject=tenant-1
2. You will get a JWT. The contents are similar as “eyJhbGciOiJSU….”
3. Export PROJAADMINJWT=eyJhbGciOi…
Create a few volumes as project:admin. Note that if alias lbcli=‘lbcli –jwt $LIGHTOS_JWT’ has been defined in .bashrc, you can temporarily change it back to:
1. alias lbcli='lbcli'
2. lbcli --jwt $PROJAADMINJWT create volume --name vol1 --size 1G --replica-count 1 --acl ALLOW_NONE--project-name test-proj-a``
3. lbcli --jwt $PROJAADMINJWT create volume --name vol2 --size 2G --replica-count 2 --acl ALLOW_NONE --project-name test-proj-a
4. lbcli --jwt $PROJAADMINJWT create volume --name vol3 --size 3G --replica-count 2 --acl ALLOW_NONE -- project-name test-proj-a
View these volumes.
1. lbcli --jwt $PROJAADMINJWT list volumes --project-name test-proj-a
Create a project:viewer JWT: a for project test-proj
1. lbcli create jwt --key-id test-proj-a:c1 --key ${HOME}/.lightos_proj_a_keys/projakey --role testproj- a:viewer
2. You will get a JWT. The contents are similar as “eyJhbGciOiJS….”
3. export PROJAVIEWERJWT=eyJh bGciOi...
List the volumes in the project as project:viewer.
1. lbcli --jwt $PROJAVIEWERJWT list volumes --project-name test-proj-a
Try to create volumes with Viewer.
1. lbcli - -jwt $PROJAVIEWERJWT create volume --name vol4 --size 4G --replica-count 2 --acl ALLOW_NONE --project-name test-proj-a
Do the same for Project B and create the corresponding Admin and Viewer JWT.
Use JWTs corresponding to different users to access projects A and B. This is to ensure that the administrator of A can only manage/view the volume resources of Project A, and the administrator of B can only manage/view the volume resources of project B. The viewer only has viewing permissions.

Last updated on

Was this page helpful?