Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Andres Rodriguez
on 28 August 2019


In this blog post, we are going to introduce the concept of multi-tenancy in MAAS. This allows operators to have different groups of users own a group of resources (machines) without ever even knowing about other groups of users enabling enhanced machine utilisation.

A common use case for medium and large-scale environments is to provide a different set of machines for different users or groups of users. MAAS has historically approached this by allowing users to pre-reserve machines (allocate) for later use. However, as of MAAS 2.4 we introduced the concept of resource pools.

Resource pools and role-based access control

Resource pools are a new way to organise your physical and virtual resources. A resource pool is effectively a bucket in which one or more machines can be placed. A machine can only be in one resource pool.

Figure 1. MAAS resource pools.

But now that you have organised your machines, how do you go about assigning users or groups to the different resource pools and preventing users from seeing resources that are assigned to someone else? Well, this is done with RBAC.

Role-based access control (RBAC) is supported in MAAS as an external micro-service that provides this functionality. The Canonical RBAC service allows administrators to select which users or groups of users can have access to a given resource pool, and the role that they can play within the resource pool itself.

Figure 2. RBAC service.

RBAC provides four roles that give the flexibility in multi-tenant environments:

  • Administrator – Maps to the current administrative user in MAAS.
  • Operator – Provides administrative permissions in the context of a resource pool.
  • User – Maps to the current non-administrative user of MAAS.
  • Auditor – Can only read information.

As MAAS can organise its physical and virtual resources in resource pools and prevent access to those resources via RBAC, what about authentication?  Where do users or user groups come from?

To provide authentication, MAAS and RBAC integrates with Candid, the Canonical identity manager service. Candid is a centralised authentication service that integrates with LDAP, Active Directory, SSO, and others. For MAAS, Candid provides LDAP authentication which is the source of users or user groups.

This allows administrators to continue to use their current authentication systems and seamlessly integrate them with MAAS and RBAC.

So, multi-tenancy?

As we have learnt, MAAS achieves multi-tenancy by making use of resource pools, RBAC and LDAP (with Candid). With this, administrators in MAAS can ensure certain users or groups within their organisation have access to only one or multiple resource pools.

But, how is this really multi-tenancy? It is because users (or user groups) will only be able to access the resources within the resource pools they have access to; they won’t be able to see that other resource pool exists. This provides complete separation making MAAS very flexible for large-scale environments or SMBs.  

For more information please contact us.


Related posts


Massimiliano Gori
16 September 2024

Announcing Authd: OIDC authentication for Ubuntu Desktop and Server

Ubuntu Article

Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity providers for both Ubuntu Desktop and Server. Authd is available free of charge on Ubuntu 24.04 LTS. At launch, Authd supports Microsoft Entra ID (formerly Azure Active Directory) ident ...


Benjamin Ryzman
21 June 2024

Data Centre AI evolution: combining MAAS and NVIDIA smart NICs

AI Article

It has been several years since Canonical committed to implementing support for NVIDIA smart NICs in our products. Among them, Canonical’s metal-as-a-service (MAAS) enables the management and control of smart NICs on top of bare-metal servers. NVIDIA BlueField smart NICs are very high data rate network interface cards providing advanced s ...


Serdar Vural
5 December 2023

Canonical joins the Sylva project

Canonical announcements Telecommunications

Canonical is proud to announce that we have joined the Sylva project of Linux Foundation Europe as a General Member. We aim to bring our open source infrastructure solutions to Sylva and contribute to the project’s goal of providing a platform to validate cloud-native telco functions. Sylva was created to accelerate the cloudification of ...