WebLogic Server Multi-tenancy and Partition Isolation [Article]

Version 4

    Written in response to a question from the audience Q&A during the OTN Virtual Technology Summit event on March 8, 2016, this article by Tim Quinn, WebLogic Server Technical Lead, explores how you can use the multi-tenancy features In WebLogic 12.2.1 to optimize domain sharing or isolation.



    By Tim Quinn

     

    Introduction

     

    Using the multi-tenancy features of WebLogic Server 12.2.1, administrators can use domain partitions to share computing resources in the WebLogic domain across different tenants. Administrators can also simplify administration and management by consolidating multiple WebLogic domains into multiple domain partitions in a single domain.

     

    Yet sharing the same resources across multiple partitions works against isolating the partitions from each other for security and privacy reasons. This short article explores that tension and highlights how you can use the multi-tenancy features to optimize sharing or isolation.

     

    Virtual Targets

     

    To see how all this works we need to talk about virtual targets in WebLogic Server and their role in multi-tenancy. Briefly, a virtual target does two things:

    1. It establishes how end users connect to apps in a partition (using a partition-specific URI prefix, a partition-specific port number, etc.)
    2. It refers to a WebLogic cluster (or individual server).

    The WebLogic administrator creates one or more virtual targets, associating each with a server or cluster, and creates one or more partitions, linking each partition with one or more virtual targets. These associations control where the apps and resources in each partition will run.

     

    Sharing Resources

     

    Here is how you would set up a domain's virtual targets and partitions to maximize resource sharing.

     

    This is the typical consolidation use case – often called the PaaS (platform-as-a-service) model. Several divisions of one enterprise – for example, HR and Finance for one company – might have their own separate partitions in a single WebLogic domain but want to share the computing resources.

     

    In the simplest example, the WLS administrator creates a virtual target for each partition and links each virtual target with the same cluster (including managed servers MS1 and MS2). Applications and resources from different partitions run in the same managed servers. In this way the WebLogic administrator can share the hardware and software resources on those servers – including the Java virtual machine – across the partitions.

    Consolidation.png

    This lets the administrator achieve higher density. Because the partitions are part of the same enterprise, isolating the partitions’ code and data from each other might not be a major concern.

     

    In contrast, if a single WebLogic domain is hosting different enterprises, each as a different partition, questions of isolation become much more important.

     

    Even so, sometimes it might still make sense for different partitions to share the same managed servers. For example if you are offering access to a suite of applications to different customers you have full control over those applications. If you are confident in the applications themselves you might be willing to have different partitions share the same managed servers, comfortable that the apps themselves are well-behaved and will isolate data for one partition from data for another.

     

    Isolating Partitions

     

    In other situations you cannot be so trusting. Perhaps you do not have that level of confidence in the application code. Perhaps your users or customers themselves insist on stronger separation. Perhaps regulatory constraints mandate stricter isolation.

     

    You can still use the WebLogic multi-tenancy features even in cases where you need physical isolation among partitions, and it is easy.

     

    To make sure that apps from different partitions run on different hosts, the WebLogic administrator simply configures the virtual targets for different partitions to refer to different clusters.

    Isolation.png

    Certainly this trades off density for isolation, but in this configuration the code and data for the two partitions are clearly isolated from each other. They share none of the same JVMs, managed servers, or hosts.

     

    You Get to Choose

     

    No single approach will work for every possible installation. The WebLogic multi-tenancy features let you decide how to set up your domain's partitions and targeting to balance these competing needs -- resource sharing vs. isolation -- the way you want.

     

    Additional Resources

     

    There are many other places to find out more about WebLogic multi-tenancy.

     

    Recently, Oracle hosted an Oracle Technology Network Virtual Technology Summit covering a wide range of topics. Among them was an overview of the new multi-tenancy features in Oracle’s WebLogic Server 12.2.1 product. You can replay that session and find out about other sessions by following this link to the register for access to the event. Once logged on, navigate to the Middleware track and click on the link for the WebLogic Multi-Tenancy Fundamentals session.

     

    Here is the published WebLogic Server 12.2.1 documentation: https://docs.oracle.com/middleware/1221/wls/index.html

     

    You might find these WebLogic blog postings helpful:

    https://blogs.oracle.com/WebLogicServer/entry/domain_partitions_for_multi_tenancy

    https://blogs.oracle.com/dipol/entry/partition_targeting_and_virtual_targets

    https://blogs.oracle.com/misty/entry/multi_tenancy_deployment

     

    About the Author

     

    Tim Quinn is a technical lead for the WebLogic Server partition subsystem, a foundational feature for multi-tenancy support. Prior to his work on WebLogic he worked at Oracle and Sun on deployment, administration, and the app client container in the GlassFish open-source app server, the Java EE reference implementation. His earlier work includes object-oriented environments, database design and tuning, and high-throughput transaction processing systems. He holds a Ph.D. in computer science from Northwestern University.