Using Chronograf for Software as a service

We have a total of 100 clients and each client has 10 devices.
So when a client logs in we need to show only his 10 devices.
Can we achieve the same by creating an Organisation for each client and also is there a possibility that clients Kapacitor logic to be also unique to the client?

1 Like

There are two ways of achieving this…with InfluxDB 1.x.

  1. You segment your clients within the database itself. Essentially, each client has their own database within a running InfluxDB OSS instance. The data for the 10 devices must be fed into that database. You then create unique credentials for each customer specific database…and you then create organizations within Chronograf where the data source setup for the organization only connects to InfluxDB using the creds specific for that organization’s data/database.

  2. Using InfluxDB Enterprise, you can land all of the data within the same database. You then use fine-grained authorization at the series level to restrict access to the devices (based on the series). Create a specific user account which has access only to there specific device data and then use those credentials within Chronograf to create an organization with a data source which uses those credentials.

Kapacitor is an all or nothing approach. Meaning, you either have access to Kapacitor or you do not. The best practice is to stand-up a Kapacitor instance for each organization and allow full access. This can also be done when you create the data source…simply add a unique Kapacitor instance for each organization. This allows for full isolation of tasks between the user groups. It is important to point out that you must disable the subscription mechanism between Kapacitor and InfluxDB for 100 Kapacitors to be used…therefore only batch-style TICKscripts will function.

I should also note that the only reason this will work…with 100 databases is because the ingest rate of 10 devices should be relatively modest. There is some overhead associated with each database instance – and as resources are allocated to support 100 concurrent, active databases, there are limitations in terms of things like the write throughput that may appear. But, if you aren’t pushing that much data on a per device basis, you won’t likely see the drop off in terms of ingest performance.

Thank you very much @tim.hall for the quick response.
Expected write throughout is 7khz of data from total 100 * 10 devices.
So influxdb OSS instance should handle 7000 write points per second will that work?

and is there API available for creating Admins and adding organization to them inside chronograf, I was not able to find any documentation? @tim.hall @rawkode

Hi @santhosh, Unfortunately there isn’t an API for adding Admins to Organizations in Chronograf. You can set things up so that new users are automatically added to an Organization as an Admin, but that would apply to all users that log in via OAuth (of a specific domain).

You can use the Org Mappings page to automatically add new users from a specific domain to an organization: https://docs.influxdata.com/chronograf/v1.7/administration/managing-organizations/#mapping-organizations

If you combine that with the default role of Admin for new members of an org: https://docs.influxdata.com/chronograf/v1.7/administration/managing-organizations/#configuring-organizations then anyone that logs in with OAuth2 to the system will be an admin.

I’m not sure if that will work for your use case though.

Thanks,
Russ