Multi Tenancy Configuration
Introduction
A single Opencast instance can handle multiple tenants, each of which have their own recordings in the system. Opencast refers to tenants as organizations, and an HTTP request to the Opencast installation is mapped to an organization using the server name. Therefore, a Opencast instance will usually be set up with multiple DNS names pointing to the same IP, for example:
- admin.example.org
- tenant1-admin.example.org
- tenant2-admin.example.org
should all resolve to the same IP.
A tenant configuration thus consists mainly of the DNS name that is mapped to that tenant.
Default Setup
Out of the box, Opencast has one tenant configured, called mh_default_org
that is mapped to the server name
localhost:8080
. As long as there is one tenant configuration only, Opencast will map every request to that tenant
regardless of the server name. As soon as a second tenant configuration is available, requests will be mapped to
organizations using the server name, and an HTTP status code 404 will be returned for requests that hit the Opencast
installation that cannot be mapped to any organization.
Limitations
Multi tenancy in Opencast is working, however it is not fully finished. Certain objects are still shared amongst organizations, most notably RSS/Atom feeds and encoding profiles.
Adding A Tenant
To add a tenant to the installation, two things need to be put in place: a tenant configuration and a set of security
rules. For this example we have a three node install of admin.example.org
, worker.example.org
, and
presentation.example.org
. Assume that the new tenant is called tenant1
and should be mapped to
tenant1-*.example.org
.
Step 1: Tenant Configuration
Create a file called org.opencastproject.organization-tenant1.cfg in the etc/
directory of your Opencast
installation, on each of the nodes. As an example, this is what the admin node looks like:
id=tenant1
name=Tenant 1
admin_role=ROLE_ADMIN
anonymous_role=ROLE_ANONYMOUS
# Hostname URL mapping
prop.org.opencastproject.host.admin.example.org=https://tenant1-admin.example.org
prop.org.opencastproject.host.presentation.example.org=https://tenant1-presentation.example.org
prop.org.opencastproject.host.worker.example.org=https://tenant1-worker.example.org:8443
# Admin and Presentation Server Urls
prop.org.opencastproject.admin.ui.url=https://tenant1-admin.example.org
prop.org.opencastproject.engage.ui.url=https://tenant1-presentation.example.org
# Default properties for the user interface
prop.logo_mediamodule=/engage/ui/img/logo/opencast-icon.svg
prop.logo_player=/engage/ui/img/logo/opencast.svg
There are more options available than in this example. The easiest way of creating that file is probably to create a
copy of the already existing org.opencastproject.organization-mh_default_org.cfg
.
Note, the default organization file org.opencastproject.organization-mh_default_org.org
must refer to the actual
server names:
prop.org.opencastproject.host.admin.example.org=https://admin.example.org
prop.org.opencastproject.host.presentation.example.org=https://presentation.example.org
prop.org.opencastproject.host.worker.example.org=https://worker.example.org:8443
This file sets the default organization that is selected. This is currently required because some Opencast components do not support multitenancy.
Hosts can have different schemas (http / https) and port numbers, e.g. when you run behind proxy server. Note, that the combination of hostname and port number is uniquely mapped to an organization.
It is not supported for Opencast tenants to be hosted in a subpath. Opencast tenants needs to be served from the root path element. The RFC 3986 URI path component needs to be empty.
Step 2: Security Configuration
Create a file called tenant1.xml in /etc/security. This file specifies access rules for individual URLs that specify which roles are needed in order to access a given URL. In addition, it allows to define the directory services that are used to authenticate users. The file follows the standard ways on configuring Spring Security and you are free to add anything that can go into a Spring Security configuration.
The easiest way of creating that file is probably to create a copy of the already existing mh_default_org.xml
.
Step 3: Other Configuration
Two additional files should be copied: org.opencastproject.ui.metadata.CatalogUIAdapterFactory-episode-common.cfg
should be copied to org.opencastproject.ui.metadata.CatalogUIAdapterFactory-episode-common-tenant1.cfg
, and
org.opencastproject.ui.metadata.CatalogUIAdapterFactory-series-common.cfg
should be copied to
org.opencastproject.ui.metadata.CatalogUIAdapterFactory-series-common-tenant1.cfg
.
In each of the new configuration files, change organization
key to match the tenant id, and change the
common-metadata
key to false. Create a copy of the files for each tenant. Note: The original ...-common.cfg
files
must have their common-metadata
keys set to true, otherwise metadata will only be available in one tenant and you
will experience a number of odd errors.