-
Notifications
You must be signed in to change notification settings - Fork 0
Multi Tenancy en
中文 | English
Maintained version: v0.51.2 | Last updated: 2026-07-06
EnerOS v0.38.0 introduced multi-tenant secure shared deployment, allowing multiple organizations to coexist securely on the same EnerOS instance, with resource namespace isolation + quota limits + cross-tenant default deny. This page is a feature summary; for full config see the main repo docs/user-manual.md §Multi-Tenancy and docs/deployment.md §3.3 + ADR-0006.
Disabled by default (enabled = false), behaving as single-tenant.
[tenant]
enabled = true
default_tenant_id = "default"
storage_path = "data/tenant.db"
default_max_devices = 1000
default_max_agents = 50
default_max_api_calls_per_day = 100000
default_max_storage_mb = 1024All resource IDs use <tenant_id>:<resource_id> namespace prefix:
tenant_a:device_001
tenant_b:device_001 # completely independent from tenant_a
default:device_001 # resources without prefix are global, visible to all tenants
| Operation | Default behavior | Notes |
|---|---|---|
| Cross-tenant read | 404 Not Found | Does not return 403 to avoid leaking resource existence |
| Cross-tenant write | 404 Not Found | Same as above |
| Global resource access | Allowed | Resources without : prefix |
| Emergency superuser | All allowed | See section below |
TenantManager checks quotas on each resource creation:
| Quota | Default | Config |
|---|---|---|
| Max devices | 1000 | default_max_devices |
| Max Agents | 50 | default_max_agents |
| Daily API call limit | 100000 | default_max_api_calls_per_day |
| Storage limit (MB) | 1024 | default_max_storage_mb |
Quota exceeded returns 429 Too Many Requests.
AuthorityLevel::Emergency users can access all resources across tenants, for:
- Emergency fault handling (e.g., grid-wide fault isolation)
- Cross-tenant coordination (e.g., distributed energy aggregation dispatch)
- Regulatory audit
Emergency permissions are issued via dedicated certificates signed by eneros-trust's CA, and all cross-tenant access is recorded to WORM audit log (HMAC chain).
TenantManager uses SQLite to persist tenant metadata and quota counters:
data/tenant.db
├── tenants # tenants table (id / name / config / quota)
├── usage_counters # quota usage counters (reset daily)
└── api_call_log # API call log (for daily quota calculation)
| Scenario | Migration impact |
|---|---|
| Existing API Keys | Auto-bound to default tenant, no migration needed |
Resource IDs without : prefix |
Treated as global resources, visible to all tenants |
Disable multi-tenancy (enabled = false) |
Behavior identical to v0.37.0 |
┌─────────────────────────────────────────────┐
│ EnerOS instance (single process)│
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Tenant A│ │ Tenant B│ │ Tenant C│ │
│ │ City co.│ │ Subgroup│ │ Energy │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ ┌────┴────────────┴────────────┴────┐ │
│ │ TenantManager + UsageTracker │ │
│ │ SQLite persistence (tenant.db) │ │
│ └────────────────────────────────────┘ │
│ │
│ Namespace isolation: <tenant_id>:<resource_id> │
│ Cross-tenant access: 404 (default deny) │
└─────────────────────────────────────────────┘
- Single-instance multi-tenancy only; cross-instance tenant federation not supported
- Quota counters are soft limits; exceeding rejects new requests but does not affect running resources
- No tenant-level resource usage dashboard (pending v0.52.0 dashboard enhancement)
- Emergency superuser operations not separately marked in dashboard
- ADR-0006 Multi-Tenancy
- Zero-Trust Security — Multi-tenancy + zero-trust combined deployment
-
Configuration Reference —
[tenant]section config - Main repo docs/deployment.md §3.3 — Multi-tenant deployment config
- Main repo docs/user-manual.md §Multi-Tenancy — User perspective
- Main repo crates/eneros-tenant/ — source
EnerOS Wiki | v0.51.2