2018-08-16 00:44:00 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Namespaces - Vault Enterprise"
|
|
|
|
sidebar_current: "docs-vault-enterprise-namespaces"
|
|
|
|
description: |-
|
|
|
|
Vault Enterprise has support for Namespaces, a feature to enable Secure Multi-tenancy (SMT) and self-management.
|
2018-08-15 22:27:11 +00:00
|
|
|
|
2018-08-16 00:44:00 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Vault Enterprise Namespaces
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
2018-08-16 20:38:24 +00:00
|
|
|
Many organizations implement Vault as a "service", providing centralized
|
|
|
|
management for teams within an organization while ensuring that those teams
|
|
|
|
operate within isolated environments known as *tenants*.
|
2018-08-16 00:44:00 +00:00
|
|
|
|
|
|
|
There are two common challenges when implementing this architecture in Vault:
|
|
|
|
|
|
|
|
**Tenant Isolation**
|
2018-08-16 00:44:36 +00:00
|
|
|
|
2018-08-16 00:44:00 +00:00
|
|
|
Frequently teams within a VaaS environment require strong isolation from other
|
2018-08-16 20:38:24 +00:00
|
|
|
users in their policies, secrets, and identitys. Tenant isolation is typically a
|
|
|
|
result of compliance regulations such as [GDPR](https://www.eugdpr.org/), though it may
|
|
|
|
be necessitated by corporate or organizational infosec requirements.
|
2018-08-16 00:44:00 +00:00
|
|
|
|
|
|
|
**Self-Management**
|
2018-08-16 00:44:36 +00:00
|
|
|
|
2018-08-16 00:44:00 +00:00
|
|
|
As new tenants are added, there is an additional human cost in the management
|
|
|
|
overhead for teams. Given that tenants will likely have different policies and
|
|
|
|
request changes at a different rate, managing a multi-tenant environment can
|
|
|
|
become very difficult for a single team as the number of tenants within that
|
2018-08-16 20:38:24 +00:00
|
|
|
organization grow.
|
2018-08-16 00:44:00 +00:00
|
|
|
|
|
|
|
'Namespaces' is a set of features within Vault Enterprise that allows Vault
|
2018-08-16 20:38:24 +00:00
|
|
|
environments to support *Secure Multi-tenancy* (or *SMT*) within a single Vault
|
2018-08-16 00:44:00 +00:00
|
|
|
infrastructure. Through namespaces, Vault administrators can support tenant isolation
|
2018-08-16 20:38:24 +00:00
|
|
|
for teams and individuals as well as empower delegated administrators to manage their
|
2018-08-16 00:44:00 +00:00
|
|
|
own tenant environment.
|
|
|
|
|
|
|
|
## Architecture
|
|
|
|
|
|
|
|
Namespaces are isolated environments that functionally exist as "Vaults within a Vault."
|
2018-08-16 20:38:24 +00:00
|
|
|
They have separate login paths and support creating and managing data isolated to their
|
|
|
|
namespace. This data includes the following:
|
2018-08-16 00:44:00 +00:00
|
|
|
|
2018-08-30 21:20:14 +00:00
|
|
|
- Secret Engines
|
|
|
|
- Auth Methods
|
2018-08-16 00:44:00 +00:00
|
|
|
- Policies
|
|
|
|
- Identities (Entities, Groups)
|
|
|
|
- Tokens
|
|
|
|
|
2018-08-16 20:38:24 +00:00
|
|
|
Rather than rely on Vault system admins, namespaces can be managed by delegated admins who
|
|
|
|
can be prescribed administration rights for their namespace. These delegated admins can also
|
|
|
|
create their own child namespaces, thereby prescribing admin rights on a subordinate group
|
|
|
|
of delegate admins.
|
2018-08-16 00:44:00 +00:00
|
|
|
|
2018-08-30 21:20:14 +00:00
|
|
|
Child namespaces can share policies from their parent namespaces. For example, a child namespace
|
|
|
|
may refer to parent identities (entities and groups) when writing policies that function only
|
|
|
|
within that child namespace. Similarly, a parent namespace can have policies asserted on child
|
|
|
|
identities.
|
|
|
|
|
2018-08-16 00:44:00 +00:00
|
|
|
## Setup and Best Practices
|
|
|
|
|
2018-08-16 20:38:24 +00:00
|
|
|
A [deployment guide](/guides/operations/multi-tenant.html) is available to help guide you
|
|
|
|
through the deployment and administration of namespaces, and contains examples on architecture
|
|
|
|
for using namespaces to implement SMT across your organization.
|
2018-08-16 00:44:00 +00:00
|
|
|
|