RBAC and multitenancy in UCS

dani_bosch · ‎06-15-2012

Hello,

I remember having read somewhere that there is no way to grant a user access to ONLY organization X in UCS Manager while restricting the rest of organizations (even READ-ONLY mode) due to the way UCS Manager database is programmed. I'd like to confirm whether this is true and, in such a case, what are alternatives in order to implement a REAL multitenancy scenario with UCS? I do NOT want Tenant A to be able to even SEE stuff from Tenant B.

Thanks,

Robert Burns · ‎06-15-2012

Dani,

At present you can use Locales to restrict permissions for a user to a certain org, but unfortunately they willl still have read-only access to everything else.

I'll check if the upcoming 2.1 (Del Mar) release or UCS Central (Manager of Managers) has any improvements on this fronts, but I don't recall so.

Regards,

Robert

chaausti · ‎06-16-2012

This is covered by CSCtf56791

RBAC was not designed for what you are looking for where Multiple tennants cannot see anything at all about each other.

Please let your sales representives know about this and give them this bug ID to make sure this enhancement is given the proper priority, and let them know how important this is to you. Also open a TAC case if this is impacting you right now so your specific problem can be attached to the bug.

skumar7193 · ‎06-17-2012

Robert,

What is the approximate GA date for Del Mar?

Robert Burns · ‎06-17-2012

Should be released by the end of the summer (July/Aug).

Regards,

Robert

dani_bosch · ‎06-19-2012

Chaausti,

Then you're saying that UCS is not a multitenant solution, ¿or don't you? My idea of multitenancy is that Tenant A must NOT even know the existance of Tenant B...any tenant at any moment should have the perception that infrastructure is 100% dedicated to him...am I wrong?

How could we get this illusion in UCS? Maybe other tools or suites?

Thanks,

chaausti · ‎06-19-2012

Could you be a little more specific with what you are looking for?

For example if you want to provide each tennant with unconfigured physical hardware in UCSM, and then let them set everything up themselves without being able to know about other tennants, that is not yet possible. If you are looking to provide VMs to the tennants, here is a whitepaper that walks you through one example of how to get this working:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/Virtualization/securecldeployg.html#wp1024662

With VMs you can even provide direct access to hardware with Intel VT-d (VMdirectpath). Just about anything short of installing a hypervisor is possible in a VM.

If your tenenats would be okay to just have KVM access to a per-configured physical blade where they could install their own OS, I suppose you could setup something to block their access to the UCS CLI, GUI, main KVM webpage, and the IPs of all the other CIMCs, and give the customers each a webpage with a bunch of direct links to only their KVMs. This may not work for what you want since it would not allow your tennants configure their own VLANs, boot order, vSANs, WWNNs, WWPNs, MAC addresses, hard disk RAID config, failover options, BIOS settings, Number of vNICs/vHBAs, vNIC/vHBA Settings, vNIC.vHBA palcement, or anything else. Also, depending on how much control you would like to give the tennants, alloing them to provision their own SAN based storage would present more challenges.

Also the ability to limit read-only access based on each org in UCSM should be added eventually. If you need this feature, the best way to ensure you get it in time is to work with your sales people who can help ensure the feature is added in the next UCSM release.

UCSM has an XML API that allows you to do anything that you can do with the UCSM GUI. There are 3rd party tools that can control a UCS, and there is no reason what you are looking for would be impossible to create as a 3rd party tool. I am sorry but I wouldn't know weather or not one already exists that does what you need.