Docker Compose 8.8-alpha7 in Multitenancy mode

Cristiano_Carretti · August 26, 2025, 12:20pm

I have installed the new camunda 8.8-alpha7 with a docker compose.
My only changes in .env file are:

ZEEBE_AUTHENTICATION_MODE=identity

and

MULTI_TENANCY_ENABLED=true
CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI=false

After the sturtup ( docker compose -p camunda88 up -d), my cluster status is

NAMES	STATUS
web-modeler-webapp	Up 2 minutes (healthy)
optimize	Up 3 minutes (healthy)
web-modeler-restapi	Up 3 minutes (healthy)
connectors	Up 4 minutes (unhealthy)
identity	Up 3 minutes (healthy)
keycloak	Up 4 minutes (healthy)
zeebe	Up 4 minutes (healthy)
mailpit	Up 4 minutes (healthy)
web-modeler-db	Up 4 minutes (healthy)
web-modeler-websockets	Up 4 minutes (healthy)
elasticsearch	Up 4 minutes (healthy)
postgres	Up 4 minutes (healthy)

The conectors has a lot of this authetnitcation error:

io.grpc.StatusRuntimeException: UNAUTHENTICATED: Expected authentication information to start with 'Basic '
        at io.grpc.Status.asRuntimeException(Status.java:532)
        at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:564)
        at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:565)
        at io.grpc.internal.ClientCallImpl.access$100(ClientCallImpl.java:72)
        at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:733)
        at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:714)
        at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
        at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)

so when i try to “deploy&run” my first process, i get this exception into web-modeler-restapi:

Caused by: java.util.concurrent.ExecutionException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Expected authentication information to start with 'Basic '
        at java.base/java.util.concurrent.CompletableFuture.wrapInExecutionException(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
        at io.camunda.client.impl.CamundaClientFutureImpl.join(CamundaClientFutureImpl.java:51)
        ... 193 common frames omitted
Caused by: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Expected authentication information to start with 'Basic '
        at io.grpc.Status.asRuntimeException(Status.java:532)
        at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:564)
        at io.grpc.internal.DelayedClientCall$DelayedListener$3.run(DelayedClientCall.java:489)
        at io.grpc.internal.DelayedClientCall$DelayedListener.delayOrExecute(DelayedClientCall.java:453)
        at io.grpc.internal.DelayedClientCall$DelayedListener.onClose(DelayedClientCall.java:486)
        at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:565)
        at io.grpc.internal.ClientCallImpl.access$100(ClientCallImpl.java:72)
        at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:733)
        at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:714)
        at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
        at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        ... 1 common frames omitted

2025-08-26 12:07:10.846  INFO 1 --- [  XNIO-1 task-2] [bf33e518-1ffd-42c0-a0cf-f3f942383da9] i.c.m.util.logging.RequestLoggingFilter  : 638ef9c0-7860-4457-a522-f0690b530aef "POST /internal-api/files/f01bf3fd-d0f7-478c-99ea-a44c6b39a32a/execute, headers=[sec-fetch-mode:"cors", referer:"http://localhost:8070/diagrams/f01bf3fd-d0f7-478c-99ea-a44c6b39a32a--new-bpmn-diagram?v=760,386,1", content-length:"65", expires:"0", sec-fetch-site:"same-origin", x-client-version:"15bca27389885e8f58613df444d5b8ebdb2ac700", accept-language:"en,it-IT;q=0.9,it;q=0.8,en-US;q=0.7", origin:"http://localhost:8070", Connection:"keep-alive", x-correlation-id:"bf33e518-1ffd-42c0-a0cf-f3f942383da9", Host:"web-modeler-restapi:8081", pragma:"no-cache", accept:"application/json; charset=utf-8", accept-charset:"utf-8", authorization:"masked", x-request-source:"script", sec-ch-ua:""Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"", sec-ch-ua-mobile:"?0", sec-ch-ua-platform:""Windows"", content-type:"application/json; charset=utf-8", cache-control:"no-cache", accept-encoding:"gzip, deflate, br, zstd", user-agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36", sec-fetch-dest:"empty"]" - 500 INTERNAL_SERVER_ERROR

Where is my mistake?

nathan.loding · August 26, 2025, 7:00pm

Hi @Cristiano_Carretti - what if you remove CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI=false from the .env file? I don’t believe that is needed for this setup.

Cristiano_Carretti · August 27, 2025, 7:43am

Hi @nathan.loding
also thought this property was unnecessary, but if I remove it, I get this status:

NAMES	STATUS
web-modeler-webapp	Up 4 minutes (healthy)
web-modeler-restapi	Up 5 minutes (healthy)
connectors	Up 6 minutes (unhealthy)
identity	Up 5 minutes (healthy)
keycloak	Up 6 minutes (healthy)
zeebe	Up 6 seconds (health: starting)
mailpit	Up 6 minutes (healthy)
web-modeler-websockets	Up 6 minutes (healthy)
elasticsearch	Up 6 minutes (healthy)
web-modeler-db	Up 6 minutes (healthy)
postgres	Up 6 minutes (healthy)

and on zeebe i get the error:

Caused by: java.lang.IllegalStateException: Multi-tenancy is enabled (camunda.security.multiTenancy.checksEnabled=true), but the API is unprotected (camunda.security.authentication.unprotected-api=true). Please enable API protection if you want to make use of multi-tenancy.
        at io.camunda.application.commons.security.CamundaSecurityConfiguration.validate(CamundaSecurityConfiguration.java:54)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMethod.invoke(InitDestroyAnnotationBeanPostProcessor.java:457)
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:401)
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:219)
        ... 18 more

So i have tried with CAMUNDA_SECURITY_MULTITENANCY_CHECKSENABLED=false. In this case the status seems correct:

NAMES	STATUS
web-modeler-webapp	Up 4 minutes (healthy)
web-modeler-restapi	Up 5 minutes (healthy)
connectors	Up 6 minutes (healthy)
identity	Up 5 minutes (healthy)
zeebe	Up 6 minutes (healthy)
keycloak	Up 6 minutes (healthy)
postgres	Up 6 minutes (healthy)
web-modeler-websockets	Up 6 minutes (healthy)
web-modeler-db	Up 6 minutes (healthy)
elasticsearch	Up 6 minutes (healthy)
mailpit	Up 6 minutes (healthy)

but, after creating a new tenant called ‘showcase’ in Identity, when I try to ‘deploy & run’ my first process on it, I get this error in the Web Modeler UI: Expected to handle request DeployResource with tenant identifier 'showcase', but multi-tenancy is disabled

nathan.loding · August 27, 2025, 3:51pm

@Cristiano_Carretti - I was able to reproduce what you’re seeing so I took it to our engineering team. That docker-compose.yaml configuration isn’t fully working with the latest alphas. The architecture streamlining changed how the security works within the cluster, so all the different configuration paths aren’t quite working yet. I’ll see if I can get a working alpha7 multi-tenancy configuration while the team continues development on the final release and documentation.

github.com/camunda/camunda-distributions

document how to set multitenancy in compose for 8.8

opened 04:02PM - 09 Jul 25 UTC

jessesimpson36

For 8.7 and below, we have a setting `MULTI_TENANCY_ENABLED` which will enable o…r disable multitenancy. In https://github.com/camunda/camunda-distributions/pull/185 I removed this setting because it only modified one setting, and we want to encourage people editing the `.core/application.yaml`. Additionally, the setting was incorrect so multitenancy was not working when set. This issue is for tracking the documentation update of how we tell people how to configure multitenancy, as we previously directed users to set `MULTI_TENANCY_ENABLED` (In a branch I removed these references).

Cristiano_Carretti · August 28, 2025, 7:35am

@nathan.loding Thank you very much