Skip to content

Multi Tenancy en

EnerOS Bot edited this page Jul 5, 2026 · 1 revision

中文 | English

Multi-Tenancy & Isolation

Maintained version: v0.51.2 | Last updated: 2026-07-06

EnerOS v0.38.0 introduced multi-tenant secure shared deployment, allowing multiple organizations to coexist securely on the same EnerOS instance, with resource namespace isolation + quota limits + cross-tenant default deny. This page is a feature summary; for full config see the main repo docs/user-manual.md §Multi-Tenancy and docs/deployment.md §3.3 + ADR-0006.

Enabling Multi-Tenancy

Disabled by default (enabled = false), behaving as single-tenant.

[tenant]
enabled = true
default_tenant_id = "default"
storage_path = "data/tenant.db"
default_max_devices = 1000
default_max_agents = 50
default_max_api_calls_per_day = 100000
default_max_storage_mb = 1024

Namespace Isolation

All resource IDs use <tenant_id>:<resource_id> namespace prefix:

tenant_a:device_001
tenant_b:device_001   # completely independent from tenant_a
default:device_001    # resources without prefix are global, visible to all tenants

Cross-Tenant Access Policy

Operation Default behavior Notes
Cross-tenant read 404 Not Found Does not return 403 to avoid leaking resource existence
Cross-tenant write 404 Not Found Same as above
Global resource access Allowed Resources without : prefix
Emergency superuser All allowed See section below

Quotas

TenantManager checks quotas on each resource creation:

Quota Default Config
Max devices 1000 default_max_devices
Max Agents 50 default_max_agents
Daily API call limit 100000 default_max_api_calls_per_day
Storage limit (MB) 1024 default_max_storage_mb

Quota exceeded returns 429 Too Many Requests.

Emergency Superuser

AuthorityLevel::Emergency users can access all resources across tenants, for:

  • Emergency fault handling (e.g., grid-wide fault isolation)
  • Cross-tenant coordination (e.g., distributed energy aggregation dispatch)
  • Regulatory audit

Emergency permissions are issued via dedicated certificates signed by eneros-trust's CA, and all cross-tenant access is recorded to WORM audit log (HMAC chain).

Persistence

TenantManager uses SQLite to persist tenant metadata and quota counters:

data/tenant.db
├── tenants          # tenants table (id / name / config / quota)
├── usage_counters   # quota usage counters (reset daily)
└── api_call_log     # API call log (for daily quota calculation)

Backward Compatibility

Scenario Migration impact
Existing API Keys Auto-bound to default tenant, no migration needed
Resource IDs without : prefix Treated as global resources, visible to all tenants
Disable multi-tenancy (enabled = false) Behavior identical to v0.37.0

Deployment Architecture

┌─────────────────────────────────────────────┐
│              EnerOS instance (single process)│
│                                              │
│  ┌─────────┐  ┌─────────┐  ┌─────────┐    │
│  │ Tenant A│  │ Tenant B│  │ Tenant C│    │
│  │ City co.│  │ Subgroup│  │ Energy  │    │
│  └────┬────┘  └────┬────┘  └────┬────┘    │
│       │            │            │           │
│  ┌────┴────────────┴────────────┴────┐    │
│  │     TenantManager + UsageTracker   │    │
│  │     SQLite persistence (tenant.db) │    │
│  └────────────────────────────────────┘    │
│                                              │
│  Namespace isolation: <tenant_id>:<resource_id> │
│  Cross-tenant access: 404 (default deny)    │
└─────────────────────────────────────────────┘

Known Limitations (v0.51.2)

  • Single-instance multi-tenancy only; cross-instance tenant federation not supported
  • Quota counters are soft limits; exceeding rejects new requests but does not affect running resources
  • No tenant-level resource usage dashboard (pending v0.52.0 dashboard enhancement)
  • Emergency superuser operations not separately marked in dashboard

Related Documentation

Clone this wiki locally