You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by LOPEZ Adalberto <ad...@hexagon.com> on 2022/11/15 08:33:25 UTC

Isolate tenants in a multi-tenant environment

Hi everyone!

I was not sure which email to use, my apologies if I'm not using the correct one, but I wanted to reach out and ask if there's a way to completely isolate tenants in a multi-tenant environment.

Right now, in a multi-tenant environment you create a process group for each tenant, and you restrict access so only users for a tenant can work within their process group, but users not belonging to the same process group will see these ghosted components which is no good for us.

Is there a way to redirect users directly to the process group they belong after they log in with no ability to navigate to a higher level?

We don't want users to see or navigate thru process groups they don't belong to, including the root process group.

Can you configure NiFi to work this way?

Any help or guidance is greatly appreciated!

Respectfully,
Adalberto Lopez

Re: Isolate tenants in a multi-tenant environment

Posted by Daniel Chaffelson <ch...@gmail.com>.

HI Adalberto,
I'll respond on the users list and remove the dev list.

Generally speaking, you cannot do what you are asking with Authz controls
within a single NiFi cluster - but also, you probably wouldn't want to in
the long run either.
Even if you successfully hid tenantA from tenantB with Authz controls, they
would still be sharing physical infrastructure and run into noisy neighbor
problems with cpu, mem, network, disk & logging - which cannot be
segregated within a single NiFi cluster currently.

Making a few assumptions about your unstated requirements, a more typical
solution here would be to containerise a nifi cluster for each tenant.
This would give you the separated UI you ask for, and also give you better
control on noisy neighbor issues while retaining good hardware utilisation
in most cases, and better ability to reason about performance issues and
errors without impacting other tenants.

Cheers,
Dan.

On Tue, Nov 15, 2022 at 8:33 AM LOPEZ Adalberto <ad...@hexagon.com>
wrote:

> Hi everyone!
>
> I was not sure which email to use, my apologies if I'm not using the
> correct one, but I wanted to reach out and ask if there's a way to
> completely isolate tenants in a multi-tenant environment.
>
> Right now, in a multi-tenant environment you create a process group for
> each tenant, and you restrict access so only users for a tenant can work
> within their process group, but users not belonging to the same process
> group will see these ghosted components which is no good for us.
>
> Is there a way to redirect users directly to the process group they belong
> after they log in with no ability to navigate to a higher level?
>
> We don't want users to see or navigate thru process groups they don't
> belong to, including the root process group.
>
> Can you configure NiFi to work this way?
>
> Any help or guidance is greatly appreciated!
>
> Respectfully,
> Adalberto Lopez
>