User authorization

Multi-tenancy

Introduction

Multi-tenancy allows you to configure Flex to restrict visibility of Flink resources.

See the article How to manage Kafka visibility with Multi-tenancy for an overview.

About tenants

A tenant restricts the set of Flink resources that are accessible to a user role from all the resources available to Flex. A user role may be assigned multiple tenants.

When operating within a tenant a user can only see resources included by that tenant, they will also see a fully consistent synthetic cluster-view of their aggregated resources.

The overall user experience is simply of a restricted set of Flink resources as if they were truly the only resources in the system.

A user can only create resources valid to their tenant.

Tenant configuration is defined within your Role Based Access Configuration YAML file.

A tenant can:

  • Include or exclude Flink jobs by name, prefix, or suffix, e.g. payyments-job, payments*, *-job
  • Include or exclude Flink JARs by name, prefix, or suffix, e.g. payments-jar, payments*, *-jar
  • Include or exclude full resources, e.g Flink clusters
  • Be assigned to one or many user roles

Resource evaluation

A tenant determines what resources are visible with the following logic:

  • Initially, all resources are implicitly excluded.
  • Explicitly included resources are added.
  • Inferred resources are added.
  • Exclusions are applied last.

Multi-tenancy use cases

The primary use for multi-tenancy is to provide different views of Flink resources to different teams within your organisation.

Consider a Flex that is connected to three Flink clusters (Dev, UAT, Prod), each having roughly 50 jobs each.

You can create tenants that:

  • Contain Flink resources connected to or within Dev and UAT (or any combination of clusters)
  • Contain specific jobs or jars. E.g my-job or my-jo*
  • Any combination of the above.

The secondary use is to exclude jobs and jars of no interest to your organisation or team.

Configuration

Within your RBAC yaml configuration file you can specify a top-level tenants key:

This configuration matches the default tenants that Flex provides if you have none configured.

tenants:
  - name: "Global"
    description: "All configured Flink resources."
    resources:
      - include:
          - [ "*" ]
    roles:
      - "*"
  - name: "ReferralDeliveryJobs"
    description: "All configured Flink resources belonging to the Referral Delivery team."
    resources:
      - include:
          - [ "flink", "*", "flink-job", "ReferralDelivery_*" ]
          - [ "flink", "*", "flink-jar", "ReferralDelivery_*" ]
    roles:
      - "*"

Fields

Each tenant is configured with a name, description, resources, and roles.

name

KeyRequiredTypeDescription
nameYStringThe name of the tenant.

The name field will be the assigned name of the tenant used within Flex's UI. It must be unique.

description

KeyRequiredTypeDescription
descriptionNStringThe description of the tenant.

The optional description field will be used within Flex's UI as a description when switching tenants.

resources

KeyRequiredTypeDescription
resourcesYListA list of resources either included or excluded for this tenant.

The resources field defines which resources are either included or excluded for this tenant.

Each item in the list is a map of either include: [resource...] or exclude: [resouce...]

Where the resource refers to the path of the object you wish to include/exclude.

For example: ["flink", "*", "flink-job", "tx_*"]refers to any job matching tx_*for any Flink cluster defined in Flex.

Possible resources:

  • ["flink", "*", "flink-job|flink-jar", "...."]

roles

KeyRequiredTypeDescription
rolesYListThe list of roles assigned to this tenant.

The roles field describes which roles (specified by your auth provider) are assigned to this tenant.

For more details about resources refer to the RBAC documentation.