Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RBAC and multitenancy in UCS

Hello,

I remember having read somewhere that there is no way to grant a user access to ONLY organization X in UCS Manager while restricting the rest of organizations (even READ-ONLY mode) due to the way UCS Manager database is programmed. I'd like to confirm whether this is true and, in such a case, what are alternatives in order to implement a REAL multitenancy scenario with UCS? I do NOT want Tenant A to be able to even SEE stuff from Tenant B.

Thanks,

Everyone's tags (2)
6 REPLIES

RBAC and multitenancy in UCS

Dani,

At present you can use Locales to restrict permissions for a user to a certain org, but unfortunately they willl still have read-only access to everything else.

I'll check if the upcoming 2.1 (Del Mar) release or UCS Central (Manager of Managers) has any improvements on this fronts, but I don't recall so.

Regards,

Robert

Cisco Employee

RBAC and multitenancy in UCS

This is covered by CSCtf56791

RBAC was not designed for what you are looking for where Multiple tennants cannot see anything at all about each other.

Please let your sales representives know about this and give them this bug ID to make sure this enhancement is given the proper priority, and let them know how important this is to you. Also open a TAC case if this is impacting you right now so your specific problem can be attached to the bug.

New Member

RBAC and multitenancy in UCS

Robert,

What is the approximate GA date for Del Mar?

RBAC and multitenancy in UCS

Should be released by the end of the summer (July/Aug).

Regards,

Robert

New Member

RBAC and multitenancy in UCS

Chaausti,

Then you're saying that UCS is not a multitenant solution, ¿or don't you? My idea of multitenancy is that Tenant A must NOT even know the existance of Tenant B...any tenant at any moment should have the perception that infrastructure is 100% dedicated to him...am I wrong?

How could we get this illusion in UCS? Maybe other tools or suites?

Thanks,

Cisco Employee

RBAC and multitenancy in UCS

Could you be a little more specific with what you are looking for?

For example if you want to provide each tennant with unconfigured physical hardware in UCSM, and then let them set everything up themselves without being able to know about other tennants, that is not yet possible. If you are looking to provide VMs to the tennants, here is a whitepaper that walks you through one example of how to get this working:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/Virtualization/securecldeployg.html#wp1024662

With VMs you can even provide direct access to hardware with Intel VT-d (VMdirectpath).  Just about anything short of installing a hypervisor is possible in a VM.

If your tenenats would be okay to just have KVM access to a per-configured physical blade where they could install their own OS, I suppose you could setup something to block their access to the UCS CLI, GUI, main KVM webpage, and the IPs of all the other CIMCs, and give the customers each a webpage with a bunch of direct links to only their KVMs. This may not work for what you want since it would not allow your tennants configure their own VLANs, boot order, vSANs, WWNNs, WWPNs, MAC addresses, hard disk RAID config, failover options, BIOS settings, Number of vNICs/vHBAs, vNIC/vHBA Settings, vNIC.vHBA palcement, or anything else. Also, depending on how much control you would like to give the tennants,  alloing them to provision their own SAN based storage would present more challenges.

Also the ability to limit read-only access based on each org in UCSM should be added eventually. If you need this feature, the best way to ensure you get it in time is to work with your sales people who can help ensure the feature is added in the next UCSM release.

UCSM has an XML API that allows you to do anything that you can do with the UCSM GUI. There are 3rd party tools that can control a UCS, and there is no reason what you are looking for would be impossible to create as a 3rd party tool. I am sorry but I wouldn't know weather or not one already exists that does what you need.

1088
Views
0
Helpful
6
Replies