Multitenancy in WSO2 APIM 3.1.0

Introduction

Multitenancy’s purpose is to maximize resource sharing by allowing multiple users (tenants) to log in and use a single server/cluster at the same time, in a tenant-isolated manner. That is, each user is given the experience of using its server, rather than a shared environment. Multitenancy ensures optimal performance of the system's resources such as memory and hardware and also secures each tenant's data.

A tenant in WSO2 API Manager is a separate business level entity, such as a department, group, or any other logically separable domain.

This feature is useful for a business with multiple departments or partners, where it allows minimizing cost and by providing better administration.

Users can carry out tasks, such as managing APIs’/services, deploying artifacts, applying security, managing users, managing data, throttling requests, and caching responses within their tenant space, which is isolated from other tenants.

Implementation

Adding Tenant: For this POC, we are considering Infosys as the organization. Within Infosys, we have several departments. Let’s consider the Finance and HR departments. We will add 2 new tenants for them.

1. Login to WSO2 APIM Management Console (https://hostname:9443/carbon/admin/login.jsp) with admin credentials (Username: admin, Password: admin)

2. Go to the path Home-> Configure-> Multitenancy-> Add New Tenant and add a new tenant for the Finance Dept. as below. Click on Save.

Domain: infyfinance.com

Select Usage Plan For Tenant: Demo (For on-premises deployment, there is only one default plan, i.e., Demo.)

First Name: FN

Last Name: LN

Admin Username: fnadmin

Admin Password: fnadmin

Email:

3. Similarly, create another tenant for the HR Dept. as below. 

Domain: infyhr.com

Select Usage Plan For Tenant: Demo (For on-premises deployment, there is only one default plan, i.e., Demo.)

First Name: FN

Last Name: LN

Admin Username: hradmin

Admin Password: hradmin

Email:

4. We can see the 2 new tenants created as below. We can deactivate, edit the details of the added tenant from here.

API Creation: Let’s create 2 dummy APIs’, one for the Finance dept. and another for the HR dept. using WSO2 API Publisher. With the Multitenancy feature of WSO2, the Finance and HR departments can have their dedicated server experience by logging into the Publisher with their credentials created in the earlier steps.

1. Login to WSO2 API Publisher (https://hostname:9443/publisher/) with the Finance dept. credentials (Username: , Password: fnadmin) as shown below.

2. Create a dummy rest API with some dummy values as shown below and click on create.

 3. The API gets created as shown below.

NOTE: To the API context, /t/infyfinance.com gets prefixed automatically though we didn’t provide that in the previous step of API creation. This enables us to differentiate and identify the tenant which is the Finance dept. in this case.

4. Go to the Subscriptions page and in the subscription availability drop-down, you can see 3 options. First is “Available to the current tenant only”, which says that only the Finance dept. tenant (infyfinance.com) can subscribe to this API. Second is “Available to all the tenants” which says all the active tenants can subscribe and the last one is “Available to specific tenants” wherein we can mention the tenants that can subscribe to this API. Let’s select the 1^st option as shown below and click on save.

5. Go to the Endpoints section and add any dummy backend rest endpoint as shown below and click on save. As this POC is for Multitenancy, we need not bother about the correctness of the API or endpoints.

6. Go to the Lifecycle tab and click on Publish to publish the API to users.

7. Similarly create and publish a dummy API for the HR dept., by logging into API Publisher with the         HR tenant credentials. For this API in the HR tenant publisher, select “Available to all the tenants”                   option from the subscription availability drops down on the subscription page.

API Subscription: Let’s see how a subscription to APIs’ work from WSO2 Developer Portal with Multitenancy. When you create multiple tenants in an API Manager deployment, the API developer portals of each tenant are displayed in a multi-tenanted view for all users to browse and for permitted users to subscribe to.

NOTE: API consumers need to subscribe to the APIs’ from the developer portal to access them securely with an OAuth token.

1. Open the WSO2 Developer Portal (https://hostname:9443/devportal/). You will get to see all the tenant developer portal options as shown below.

carbon.super is the super tenant that’s by default present in WSO2 APIM.

2. Click on the Finance tenant developer portal. You will be able to see the APIs’ created within this tenant and the applications present. But to subscribe to the API or to create new applications, we need to sign in. So, click on the SIGN-IN option seen on the right-hand side top and log in with the Finance dept. credentials (Username: , Password: fnadmin). 

3. Click on the API to subscribe. This API that was created in the Finance tenant publisher, we had selected the option “Available to the current tenant only” in subscription and hence the “Subscribe” button is enabled as shown below.

4. You will be able to access the other tenant dev portals too though you are logged in with Finance tenant credentials. Click on the “Go To Public Dev Portal” option on the right side top. Go into the HR dev portal (infyhr.com). Click on the API you had created in the HR tenant publisher. The “Subscribe” button should be enabled, as for this API, you had selected “Available to all the tenants” as the subscription while creating the API in API Publisher.

5. Now sign out of the Finance tenant developer portal and click on the HR dev portal and sign into it with the HR tenant credentials (Username: , Password: hradmin). Click on the API you created in the HR tenant publisher and you will see the “Subscribe” button enabled. 

Now, click “Go To Public Dev Portal” and then go inside the Finance dev portal. Click on the API of the Finance dept. and you will find the “Subscribe” button disabled as shown below. That’s because, for the Finance dept. API, we had selected “Available to current tenant only” in subscription and hence the HR tenant cannot subscribe.

 

So, we have seen with Multitenancy, each tenant can have its own server experience in an isolated manner and it can manage its artifacts as it wants.

NOTE: We can also control the API visibility in other tenants in the Dev Portal. In API Publisher, go to the section “Design Configurations” for an API and select the option “Visible to my domain” from the drop-down of Developer Portal Visibility as shown below.

By selecting this option, the API created in a particular tenant is only visible to that tenant in the Developer Portal. For e.g. when you select this option for the Finance dept. API, you won’t be able to see this API when you log in to HR tenant Dev Portal. 

Tenant Management outside WSO2 Admin Console: We can manage the tenants using various operations provided by the RemoteTenantManager Admin Service. This admin service and its operations can be invoked using a SOAP client like SOAP UI. Below are the steps to utilize this admin service.

1. Open the <API-M_HOME>/repository/conf/deployment.toml file and add the following configuration and restart the APIM server.

[admin_service.wsdl]

enable=true

2. Start SOAP UI client, and import the WSDL https://localhost:9443/services/RemoteTenantManagerService?wsdl. This assumes that you are running the SOAP UI client from the same machine as the API Manager instance.

3. Note that there are several operations shown in the SOAP UI after importing the WSDL file.

4. Let’s try to deactivate a tenant. Click on the operation deactivateTenant. When the request page opens up, we see the port as 8243 which is the passthrough port. In order to invoke the admin service, we need to change the port to transport port i.e. 9443. Give the tenantId as 2 (HR tenant) in the request. Also, we need to pass the WSO2 APIM admin credentials as basic authorization to invoke the admin service operations. Execute the operation and we should get an HTTP 202 response.

5. Now, login to WSO2 Admin console and view the tenants. We can see the HR tenant is deactivated.

Similarly, we can utilize the other operations of the RemoteTenantManagerService for managing tenants outside the admin console.