Tips for multi tenant setup and configuration

Started by JayST, August 14, 2019, 08:37:16 PM

Previous topic - Next topic

JayST

I was wondering if there are some tips that can be shared for configuring NetXMS for a few (<10) small/smb organizations. I already found out about zoning. That's clear. Proxy functionality is also clear to me now.

Perhaps more on configuratoin topics like:

  • A Template strategy
  • A Policy strategy
  • Mapping customers and nodes to containers/folders
  • A strategy arround Event Policy rules to stay flexible and deal with per-organization requirements and/or SLA's ?
  • A event strategy
  • A action strategy

I know it all falls into the category "it depends", but there must be some things you ran into that made some changes happen.

Basically, any do's and dont's available for such a setup  :)

Tursiops

Indeed "it depends". In fact it depends very heavily on which part you are trying to multi-tenant.
We are monitoring > 100 SMB networks in our installation, however we do not give our customers access to it at this time.

Templates & Policies (same thing in version 3)
We wouldn't customers access. A customer writing an auto-bind rule for "their" equipment would also apply to other customers. You would have to trust the customer to add checks for their zone (or custom attributes or whatever else you wish to use to identify a customer) into their templates. I do not trust. :)
If you are managing this, there is probably no reason not to apply the same templates to everyone. You can always use auto-apply rules for customer specific templates.

Mapping customers/nodes to containers
Auto-bind rules allow for that. But again, I wouldn't give customers write access to that as I do not trust the customer to always do the right thing here.

Event Policy Rules
And again, I wouldn't give customers access. There are no access controls to individual rules, you either can access EPRs or you can't. You do not want your customers to be able to mess with that. If the idea is that you're handling all of the rules, it is much easier. You can apply rules based on source objects, e.g. Zones. Make sure you get your naming conventions right so you can easily identify which rules apply to whom. You can configure customer specific settings as custom attributes on zones, containers or nodes. Or use persistent storage variables. You can script this to fit your needs.

Event Strategy
You can use the same events across your customers and apply different rules in EPRs depending on the customer. You can also create customer specific events if needed for customer specific templates. Once again, I wouldn't let customers create events.

Action Strategy
You might sense a pattern here.... I wouldn't let customers configure those, but you can set them up to deal with different customers yourself.

Basically NetXMS does not lend itself to full multi-tenancy where you can give actual administrative control over a zone to a different admin with them only being able to change their own templates, policies, rules, etc.

You can use it to give customers some level of access to their own devices. This is something you should test thoroughly. You do not want to have some area where one customer can pull data from another, e.g. via scripting or other means. You will need to setup trusted nodes, rather than assuming trust between everything. That also means newly discovered devices will need to be configured with trusted nodes. I haven't checked if that can be done via NXSL as discovered nodes are being created.

For logging, you need to enable ExtendedLogQueryAccessControl (disabled by default). It will make queries for logs slower, but it means customers won't be able to see each other's logs. However, we found a little while ago that "unknown" sources will be visible to everyone. That has been raised with the developers. Having said that, enabling UseSyslogForDiscovery and UseSNMPTrapsForDiscovery might be a workaround as it would create a new node from unknown sources. From that point onwards access restrictions would apply.

As we have not actually configured our system for this, I do not have any actual experience with that kind of setup. We simply needed a locked down temporary account one day for one particular customer and the above was what we found while doing so.

JayST

great stuff! Thanks alot!

I'm not looking to provide access to customers, so that's not an issue. I should have put that in my post, sorry. Good to see confirmation that providing customer access is not ideal.

So we'll go for a scenario in which we are the only one configuring the software and the only with access.

So in your environment, you have EPRs for every customer? Seems logical, as actions differ between customers offcourse.

I still struggle a bit with the event strategy. for example: What would be use cases to NOT share events between customer but instead create dedicated set of events for a customer?

normalcy

Is this something Grafana would be useful for?  Keep the NetXMS access for ops internal and then publish zone specific dashboards to Grafana for customers? 

I suppose in the future the WebAPI might allow someone to write a customer focused client interface?

Has anyone done something like that now?

Victor Kirhenshtein

Grafana definitely can be used as publishing front end for customers as you can have completely separate access control.

Best regards,
Victor

AleCoelli

Hi,
  I think that for multi-customer use, we should have another kind of container rapresenting a single customer that could contain in an unique position: Zone/networks, object contaniner, network maps, dashboards and graphs. In this kind of macro container, it will usefull to add documentation files, like photos, docs etc

thanks
Alessandro

Victor Kirhenshtein

Hi,

one of the biggest issues with multi-tenant setup is event processing configuration. Currently there is single policy and access to it is controlled by global access rights. For proper multi-tenant setup we also need separate event processing policies, action configurations, etc. Depending on what you want to achieve it could be easier to run multiple instances of netxmsd, using docker containers for example.

Best regards,
Victor

AleCoelli

Victor, you're right if we are talking about a full multi tenant environment, with customer single, isolated access.
But this isn't our goal: we want only grouping the information in a customer-based tree. We manage different customer, and the technician should easily open the customer tree and work on it, having all the infrastructure under eyes.

Tnks