Multi-tenant graphs
Overview
This page describes how to configure and use multiple graphs within the same Aerospike namespace. Multi-tenant graphs enable the creation and management of several logically isolated graphs within a shared namespace, allowing for distinct graphs to operate independently while sharing common infrastructure. This approach is ideal for applications requiring multi-tenancy, as it streamlines graph management while maintaining strong access controls across different graphs.
For scenarios that require a higher level of isolation at the storage level, consider using single graphs per namespace instead. This provides a higher level of separation of data for applications with stricter multi-tenancy requirements.
Configuration and usage
To set up multi-tenant graphs when starting an Aerospike Graph Service (AGS) instance,
use the aerospike.graph-service.graphs
configuration option to specify graph names. You can do this using an
environment variable or
with a properties file.
Specifying Graph Names and Traversal Names
Each individual graph has an associated graph name and a traversal name.
You can specify the graph name and traversal name for each graph with the
aerospike.graph-service.graphs
and <GRAPH-NAME>.aerospike.graph.traversal
configuration options.
The traversal name is optional. If it is not specified, it defaults to g<GRAPH-NAME>. For instance, a graph named myGraph has a default traversal name of gmyGraph. For single-graph AGS instances that do not utilize multi-tenancy, the traversal name defaults to g.
The graph name is used to define configuration options specific to that graph, as demonstrated in
the example.
The graph name is used to configure settings specific to that graph, as illustrated in the example. It is also used for HTTP endpoints and in setting up RBAC authentication.
Graph name requirements
- Graph names must contain only letters, numbers, dashes, and underscores. No other special characters are supported.
- Graph names must be no longer than 32 characters.
- The graph name and its traversal name must be different.
- Multi-tenant graphs must be configured when starting AGS. If you need to add or change graph names after the AGS instance has started, you must stop the AGS instance, update the configuration options, then start AGS again.
The traversal name is intended for client applications. Use the traversal name when connecting to AGS through a client application, such as when using the Gremlin console.
Example configuration
The following is an example configuration for an AGS instance with multi-tenancy:
aerospike.client.host=172.17.0.1
aerospike.client.port=3000
aerospike.client.namespace=test
# Specify names for named graphs
aerospike.graph-service.graphs=myGraph,modern
# Specify traversal name for myGraph
myGraph.aerospike.graph.traversal=myGraph-traversal
# If no user-supplied traversal name is given for graph modern,
# it defaults to:
# modern.aerospike.graph.traversal=gmodern
# Other configuration options can be specified for each graph
# as follows:
myGraph.aerospike.client.policy.scan.totalTimeout=100
myGraph.aerospike.client.clientPolicy.minConnsPerNode=40
myGraph.aerospike.client.clientPolicy.maxConnsPerNode=60
modern.aerospike.client.policy.scan.totalTimeout=2000
modern.aerospike.client.clientPolicy.minConnsPerNode=400
modern.aerospike.client.clientPolicy.maxConnsPerNode=600
Connecting to a multi-tenant graph
To connect to a multi-tenant graph, use the graph traversal name
as an argument in the connection command. The following example
shows a connection to a graph from the Gremlin console with the traversal name myGraph-traversal:
g = traversal().withRemote(DriverRemoteConnection.using("GREMLIN_SERVER_IP_ADDRESS", 8182, "myGraph-traversal"));
The g object in this context is used by the client application, while myGraph-traversal is within the scope of the Aerospike Graph Service (AGS).
RBAC support
If RBAC is enabled for your AGS instance, you can create tokens to assign roles to different graphs. For more information, refer to the RBAC guide for details on creating and managing JWT tokens for multi-tenant graphs.