Cloud-native API Administration with Red Hat 3scale API Management
After completing this section, you should be able to create multiple tenants in Red Hat 3scale API Management.
You can configure multiple 3scale API Management instances within the same installation. An instance of 3scale API Management is called a tenant. Every tenant can be managed through its own Admin Portal.
By default, the 3scale API Management installation creates the 3scale tenant.
In previous sections of this course, you have used the Admin Portal of the default 3scale tenant to manage your APIs (https://3scale-admin.apps.ocp4.example.com).
While the default tenant, 3scale, might be enough for most organizations, larger companies might prefer to have several, independent instances to manage their APIs.
For example, a social network might choose to have a tenant for internal APIs, and another tenant for APIs that can be consumed by external developers.
Every tenant provides several interesting features that you might consider when deciding the number of tenants that you want to have:
| Feature | Explanation | URLs generated |
|---|---|---|
| Custom Developer Portal URL | For every tenant, a public Developer Portal is provided. |
|
| Custom APIcast URL | Every tenant gets a staging and production APIcast URL containing the tenant name. | The URL for staging follows the pattern api-.
The URL for production follows the pattern api-. |
| Custom Admin Portal | Every tenant includes an Admin Portal. You can use the Admin Portal to create, update and delete 3scale resources in the tenant. The resources (products, backends, users…) that you create in the tenant are independent, sharing data across tenants is not possible. |
|
The Master Portal is used to manage the tenants of the 3scale installation.
The Master Portal graphic interface is similar to the Admin Portal one, but the Master Portal has a horizontal blue straight line at the top of every page that contains the word Master.
The Master Portal's URL follows the pattern master..WILDCARD_DOMAIN
In the Master Portal context, a user allows you to connect to the Master Portal.
By default, 3scale creates a user with the username master and saves its password in the system-seed OpenShift secret.
The following command retrieves the default user's password and decodes it.
oc get secret system-seed -n 3scale \
--template={{.data.MASTER_PASSWORD}} | base64 -dYou can use these credentials to log in to the Master Portal.
To access the Users page, click in the drop-down menu, located in the top pane of the Master Portal.
Then, click → .
 |
The default master user is displayed.
Click to create a new user by providing a valid email address.
3scale sends an email with a link to join the Master Portal.
Click to list the invitations sent.
In the Master Portal context, an account represents a tenant.
When you create a master account, you are creating a new tenant.
To access the Accounts page, click in the drop-down menu located in the top pane.
This page lists the available accounts.
 |
Click to create a new account. You must complete the form by taking into consideration what every field means.
| Field | Explanation |
|---|---|
| Username | The username of the user that you use to access the Admin Portal of the tenant. |
| Password | The password of the user that you use to access the Admin Portal of the tenant. |
| The email of the user that you use to access the Admin Portal of the tenant. | |
| Organization/Group Name | The tenant name. This is used as a subdomain to generate the URLs of the Admin Portal, Developer Portal and APIcast. |
For example, if you create a tenant with the following data:
| Field | Value |
|---|---|
| Username |
do240-user
|
| Password |
do240-password
|
do240@redhat.com
| |
| Organization/Group Name |
do240
|
Then the following URLs are created, considering that the wildcard domain is example.com:
| Name | URL |
|---|---|
| Admin Portal |
do240-admin.example.com
|
| Developer Portal |
do240.example.com
|
| Staging APIcast URL |
api-do240-apicast-staging.example.com
|
| Production APIcast URL |
api-do240-apicast-production.example.com
|
You can use Admin Portal to manage most of the features of the tenant, such as products and backends.
You have already used the Admin Portal of the default tenant, 3scale, in previous sections.
You can access the Admin Portal of your tenant by opening the URL TENANT_NAME-admin.WILDCARD_DOMAIN
The Admin Portal Users allow you to connect to the Admin Portal. When you create a new tenant, you must provide a username and a password. These credentials are used to generate a default user for the Admin Portal of the tenant.
To access the Users page, click in the drop-down menu of the Admin Portal.
Then, click → in the left pane.
The list of users with access to the Admin Portal is displayed.
 |
Click to create a new user by providing a valid email address. An email is sent to the email provided with a link to join the tenant. Click to list the invitations sent.
Consider a clean 3scale installation with WILDCARD_DOMAIN = apps.ocp4.example.com.
The 3scale tenant is created by default with all the corresponding features, as shown in the following diagram:
 |
The Master Portal contains one account, 3scale, which corresponds to the default 3scale tenant.
At the same time, the Master Portal has one user, master, which is the default user.
You can log in to the Master Portal by opening the https://master.apps.ocp4.example.com URL in a web browser.
Then, you can use the master user credentials to authenticate.
The 3scale Admin Portal contains the default admin user, and the default API product.
You can log in to the 3scale Admin Portal by opening the https://3scale-admin.apps.ocp4.example.com in a web browser.
Then, you can use the admin user credentials to authenticate.
The Developer Portal of the 3scale tenant is available at https://3scale.apps.ocp4.example.com, and you can access your APIs at https://api-3scale-apicast-staging.apps.ocp4.example.com.
Consider also that your organization needs a separate tenant to manage the finance APIs independently.
If you add a new finance Master account (i.e. tenant) with the following data:
Username:
finance-userPassword:
finance-passwordEmail:
finance@redhat.comOrganization/Group Name:
finance
Then the previous diagram displays as follows:
 |
The Master Portal contains two accounts, 3scale and finance.
The finance Admin Portal holds one user, finance-user, which is the username that you provided when creating the tenant.
At the same time, the finance Admin Portal contains the API Product, which is created by default.
Note
The APIcast URLs displayed in the graphics assume that you are using the API default product.
3scale API Management provides a different URL prefix for every product by using the following pattern: PRODUCT-TENANT-apicast-staging.apps.ocp4.example.com
Because 3scale sends invitations through email, a SMTP server must be configured. 3scale does not provide an SMTP server by default, so if you want to create a Master Portal or Admin Portal user, then you must provide your own SMTP server. You can configure an SMTP server for the entire 3scale API Manager installation. Therefore, the Master Portal and all the tenants use the same email server.
When you have your SMTP server ready, you must configure 3scale to use the SMTP server.
The system-smtp OpenShift secret contains the following parameters to connect to the server.
| Parameter | Explanation |
|---|---|
address
| The host of the SMTP server. |
port
| Port where the server is listening for connections. |
username
| The username of the SMTP server authentication. Leave it blank if no authentication is required. |
password
| The password of the SMTP server authentication. Leave it blank if no authentication is required. |
domain
| The HELO domain. |
authentication
| The authentication type of the server.
Values: plain (send the password in clear), login (sends the password base64 encoded), or cram_md5. |
openssl.verify.mode
| Specifies how OpenSSL verifies certificates when using TLS.
Values: none or peer. |
You can modify the system-smtp secret by using the OpenShift Console, or by executing the proper oc patch command.
In the following command, you must replace both PARAMETER and VALUE by the parameter and value that you want to update, respectively.
oc patch secret system-smtp -p '{"stringData":{"PARAMETER":"VALUE"}}'For example, the following command updates the address parameter.
oc patch secret system-smtp -p '{"stringData":{"address":"smtp"}}'After you update the secret with the correct parameters for your SMTP server, you must restart the pods involved in the email sending.
oc rollout latest dc/system-app
oc rollout latest dc/system-sidekiq
