From 9d41d4c407fb8f2a129e4df2bc3bd5431280e4ee Mon Sep 17 00:00:00 2001 From: Andy Manoske Date: Wed, 15 Aug 2018 17:44:00 -0700 Subject: [PATCH] Update index.html.md --- .../docs/enterprise/namespaces/index.html.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/website/source/docs/enterprise/namespaces/index.html.md b/website/source/docs/enterprise/namespaces/index.html.md index 8b1378917..3e56d3fd7 100644 --- a/website/source/docs/enterprise/namespaces/index.html.md +++ b/website/source/docs/enterprise/namespaces/index.html.md @@ -1 +1,68 @@ +--- +layout: "docs" +page_title: "Namespaces - Vault Enterprise" +sidebar_current: "docs-vault-enterprise-namespaces" +description: |- + Vault Enterprise has support for Namespaces, a feature to enable Secure Multi-tenancy (SMT) and self-management. +--- + +# Vault Enterprise Namespaces + +## Overview + +Many organizations implement *Vault as a Service* (or "VaaS"), providing centralized +management to a security or ops team while ensuring that separate teams within that +organization operate within self-contained environments known as "*tenants*." + +There are two common challenges when implementing this architecture in Vault: + +**Tenant Isolation** +Frequently teams within a VaaS environment require strong isolation from other +users in their policies, secrets, and sometimes even their own identity entities +and groups. Frequently tenant isolation is a result of regulations such as [GDPR](https://www.eugdpr.org/), +though it may be necessitated by corporate or organizational infosec requirements as +well. + +**Self-Management** +As new tenants are added, there is an additional human cost in the management +overhead for teams. Given that tenants will likely have different policies and +request changes at a different rate, managing a multi-tenant environment can +become very difficult for a single team as the number of tenants within that +environment grow. + +'Namespaces' is a set of features within Vault Enterprise that allows Vault +environments to support *Secure Multi-tenancy* (or *SMT*) within a single Vault Enterprise +infrastructure. Through namespaces, Vault administrators can support tenant isolation +for teams and individuals as well as empower those individuals to self-manage their +own tenant environment. + +## Architecture + +Namespaces are isolated environments that functionally exist as "Vaults within a Vault." +They have separate login paths and support creating and managing data isolated to a namespace +including the following: + +- Secret Engine Mounts +- Policies +- Identities (Entities, Groups) +- Tokens + +Namespaces can also be configured to inherit all of this data from a higher *parent* namespace. +This simplifies the deployment of new namespaces, and can be combined with sentinel policies +to prescribe organization-wide infosec policies on tenants. + +## Example Implementation + + + +## Setup and Best Practices + +A [deployment guide](/guides/operations/replication.html) is +available to help you get started, and contains examples on namespace architecture. + +## API + +Namespaces supports a full HTTP API. Please see the +[Vault Namespace API](/api/system/replication.html) for more +details.