I am reading the ‘getting started’ tutorial at this link: Create Tenants
It says the following:
“Once you create your account you will be asked to create a tenant. In Auth0, a tenant is a logical isolation unit . The term is borrowed from software multitenancy and it refers to an architecture where a single instance of the software serves multiple tenants. No tenant can access the instance of another tenant, even though the software might be running on the same machine (hence the logical isolation).”
What I don’t understand here is that it says “a single instance of the software serves multiple tenants” followed by “No tenant can access the instance of another tenant”. So does each tenant have its own instance (implied by the second quote) or do multiple tenants share an instance (implied by the first quote)?
Also, my understanding of instances and tenants is that an instance is “a copy of the software with its own database”, and a tenant corresponds to an account. So if each tenant has their own instance, does each user’s account have its own database?
From what I have researched, each tenant exists in its own container. They are guaranteed to be isolated from one another. Inside that container there can be processes like rules, logs, etc., but they should be isolated on a per-tenant basis.
With that being said, I would have to confirm some of these things with the product team to be 100% sure. Do you have something that is concerning you? If you do I can reach out to them to clarify.
Hi @dan.woda, thanks for your reply. I understand what you’re saying about each tenant existing in its own container with its own rules, logs, etc. The only thing I’m still unclear about is “a single instance of the software serves multiple tenants”. If each tenant exists in its own container and has its own rules, logs etc, what is shared between the multiple tenants that are served by the same instance? And which tenants are shared between a given instance?
For example, if I create an account, am I allocated an instance of the software and that instance serves each tenant I create? And does each instance have, for example, its own database, such that while tenants have their own rules, logs etc, they share a database?
The one other things I’m confused about is what is the difference between a tenant and a user? I thought that a tenant corresponded to one username+password pair, ie one user account, but the way I have Auth0 set up I have my account, two tenants (one for dev, one for deployment) and within each of these I’m able to create multiple users.
So I’d like to just clarify all this terminology
Thanks!
There’s just one logical instance of the server software (i.e. “Auth0 public cloud”). That’s a big cluster of servers, databases, load balancers and so on, that could be seen as one big service.
It is divided into a few geographical regions: Americas, Europe and Australia. Each gets their own servers, databases.
This Auth0 cloud service is further divided into tenants. One Auth0 customer (e.g. “Acme”) will usually “own” one or more tenants. You would typically set up at least one tenant for production usage and one or more for other environments like QA/dev/test (e.g. “acme”, “acme-dev”, “acme-qa”).
Each tenant contains one or more applications (“clients”) definitions, user databases, rules, user profiles, and so on. There’s no crossover of data between tenants, but that’s a logical divide, as internally some databases could potentially have data from more than one tenant (that’s an implementation detail). But the guarantee is that if you work with the “acme” tenant, you would never see any data from the “contoso” tenant (nor from the “acme-qa” or “acme-dev” tenants, for that matter).
When you create a tenant, you can only choose the region where the tenant ends up. There’s no exposed concept of instances to choose from.
All of the above is for the “public cloud” service. There are other deployment models (see Deploy and Monitor) for cases where a complete isolation is required.
