crocie
April 30, 2025, 7:23am
1
Good morning,
We would like to start using Camunda self-managed and we have seen that in 8.8 there are rest api’s that allow tenant creation to be very easy compared to 8.7. We were wondering if we could download the docker-compose from the alpha version of 8.8.
Thanks,
Elisa
Hello @cpbpm , thanks a lot for your response.
I’m going to try install this version in local using docker-compose.
Hello @cpbpm , I ran the docker-compose as-is and I deployed a bpmn successully on tenant but I notice that in docker-compose is missed operate and tasklist services. How could I fix this?
Thanks,
Elisa
Hello! Very sorry, I saw now that tasklist and operate are like “embedded” inside zeebe? All applications are exposed on the same port 8080. Right?
Hello @cpbpm when I try to deploy a bpmn flow using my tenant I obtain this error message:
Expected to handle gRPC request DeployResource with tenant identifier ‘showcase’, but multi-tenancy is disabled
In my .env file I have these settings:
MULTI_TENANCY_ENABLED=true
ZEEBE_AUTHENTICATION_MODE=identity
Using Identity UI I created the tenant:
Hi @cpbpm … I just downloaded the new version of Docker Compose (alpha4), and I’m having the same problem as @crocie .
Here’s a screenshot of the error:
and my .env is:
## Image versions ##
# renovate: datasource=docker depName=camunda/connectors-bundle
CAMUNDA_CONNECTORS_VERSION=8.8.0-alpha99
# renovate: datasource=docker depName=camunda/zeebe
CAMUNDA_ZEEBE_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=camunda/identity
CAMUNDA_IDENTITY_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=camunda/operate
CAMUNDA_OPERATE_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=camunda/tasklist
CAMUNDA_TASKLIST_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=camunda/optimize
CAMUNDA_OPTIMIZE_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=camunda/web-modeler-restapi
CAMUNDA_WEB_MODELER_VERSION=8.8.0-alpha4
# renovate: datasource=docker depName=elasticsearch
ELASTIC_VERSION=8.17.5
KEYCLOAK_SERVER_VERSION=24.0.5
MAILPIT_VERSION=v1.21.8
POSTGRES_VERSION=14.5-alpine
HOST=localhost
KEYCLOAK_HOST=localhost
ZEEBE_AUTHENTICATION_MODE=identity
ZEEBE_CLIENT_ID=zeebe
ZEEBE_CLIENT_SECRET=zecret
RESOURCE_AUTHORIZATIONS_ENABLED=false
MULTI_TENANCY_ENABLED=true
Any suggestions on what might be wrong?
Thank you
Cristiano
Hi @crocie and @Cristiano_Carretti - have you configured the appropriate permissions for that tenant? That would be the first thing I would check, but I don’t see permissions mentioned in this thread yet.
If it looks good on your end, can you share the steps you took? For instance, did you create the tenant via the API? If you can outline the steps to reproduce, I can take this to the product team for assistance. Thanks!
cpbpm
May 13, 2025, 6:10pm
9
You can refer the document, meanwhile i test out the steps.
crocie
May 14, 2025, 1:56pm
10
Hello @nathan.loding I created the tenant using docker-compose:
identity: # https://docs.camunda.io/docs/self-managed/platform-deployment/docker/#identity
container_name: identity
image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
ports:
- "8084:8084"
environment: # https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/
SERVER_PORT: 8084
IDENTITY_RETRY_DELAY_SECONDS: 30
IDENTITY_URL: http://${HOST}:8084
KEYCLOAK_URL: http://keycloak:18080/auth
IDENTITY_AUTH_PROVIDER_ISSUER_URL: http://${KEYCLOAK_HOST}:18080/auth/realms/camunda-platform
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:18080/auth/realms/camunda-platform
IDENTITY_DATABASE_HOST: postgres
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: bitnami_keycloak
IDENTITY_DATABASE_USERNAME: bn_keycloak
IDENTITY_DATABASE_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
# KEYCLOAK_INIT_OPTIMIZE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
# KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: http://${HOST}:8083
KEYCLOAK_INIT_OPERATE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPERATE_ROOT_URL: http://${HOST}:8081
KEYCLOAK_INIT_TASKLIST_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_TASKLIST_ROOT_URL: http://${HOST}:8082
KEYCLOAK_INIT_WEBMODELER_ROOT_URL: http://${HOST}:8070
KEYCLOAK_INIT_CONNECTORS_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_CONNECTORS_ROOT_URL: http://${HOST}:8085
KEYCLOAK_INIT_ZEEBE_NAME: zeebe
KEYCLOAK_USERS_0_USERNAME: "demo"
KEYCLOAK_USERS_0_PASSWORD: "demo"
KEYCLOAK_USERS_0_FIRST_NAME: "demo"
KEYCLOAK_USERS_0_EMAIL: "demo@acme.com"
KEYCLOAK_USERS_0_ROLES_0: "Identity"
# KEYCLOAK_USERS_0_ROLES_1: "Optimize"
KEYCLOAK_USERS_0_ROLES_1: "Operate"
KEYCLOAK_USERS_0_ROLES_2: "Tasklist"
KEYCLOAK_USERS_0_ROLES_3: "Web Modeler"
KEYCLOAK_USERS_0_ROLES_4: "Web Modeler Admin"
KEYCLOAK_USERS_0_ROLES_5: "Zeebe"
KEYCLOAK_USERS_1_USERNAME: "showcase-usr"
KEYCLOAK_USERS_1_PASSWORD: "showcase-usr"
KEYCLOAK_USERS_1_FIRST_NAME: "Showcase User"
KEYCLOAK_USERS_1_EMAIL: "showcase.usr@test.it"
KEYCLOAK_USERS_1_ROLES_0: "Tasklist"
KEYCLOAK_USERS_2_USERNAME: "showcase-usr-modeller"
KEYCLOAK_USERS_2_PASSWORD: "showcase-usr-modeller"
KEYCLOAK_USERS_2_FIRST_NAME: "Showcase User Modeller"
KEYCLOAK_USERS_2_EMAIL: "showcase.usr.modeller@test.it"
KEYCLOAK_USERS_2_ROLES_0: "Web Modeler"
KEYCLOAK_USERS_2_ROLES_1: "Zeebe"
KEYCLOAK_USERS_3_USERNAME: "showcase-usr-helpdesk"
KEYCLOAK_USERS_3_PASSWORD: "showcase-usr-helpdesk"
KEYCLOAK_USERS_3_FIRST_NAME: "Showcase User HelpDesk"
KEYCLOAK_USERS_3_EMAIL: "showcase.user.helpdesk@test.it"
KEYCLOAK_USERS_3_ROLES_0: "Operate"
KEYCLOAK_CLIENTS_0_NAME: zeebe
KEYCLOAK_CLIENTS_0_ID: ${ZEEBE_CLIENT_ID}
KEYCLOAK_CLIENTS_0_SECRET: ${ZEEBE_CLIENT_SECRET}
KEYCLOAK_CLIENTS_0_TYPE: M2M
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_1_RESOURCE_SERVER_ID: operate-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_1_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_2_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_2_DEFINITION: write:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_3_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_3_DEFINITION: read:*
KEYCLOAK_CLIENTS_0_PERMISSIONS_4_RESOURCE_SERVER_ID: operate-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_4_DEFINITION: read:*
KEYCLOAK_CLIENTS_1_ID: ${TEST_APP_CLIENT_ID}
KEYCLOAK_CLIENTS_1_SECRET: ${TEST_APP_CLIENT_SECRET}
KEYCLOAK_CLIENTS_1_NAME: ${TEST_APP_NAME}
KEYCLOAK_CLIENTS_1_TYPE: M2M
KEYCLOAK_CLIENTS_1_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_1_PERMISSIONS_0_DEFINITION: write:*
KEYCLOAK_CLIENTS_1_PERMISSIONS_1_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_1_PERMISSIONS_1_DEFINITION: write:*
KEYCLOAK_CLIENTS_1_PERMISSIONS_2_RESOURCE_SERVER_ID: tasklist-api
KEYCLOAK_CLIENTS_1_PERMISSIONS_2_DEFINITION: read:*
KEYCLOAK_CLIENTS_2_ID: modeler-showcase
KEYCLOAK_CLIENTS_2_SECRET: modeler-showcase
KEYCLOAK_CLIENTS_2_NAME: modeler-showcase
KEYCLOAK_CLIENTS_2_TYPE: M2M
KEYCLOAK_CLIENTS_2_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_2_PERMISSIONS_0_DEFINITION: write:*
KEYCLOAK_CLIENTS_2_PERMISSIONS_1_RESOURCE_SERVER_ID: web-modeler-api
KEYCLOAK_CLIENTS_2_PERMISSIONS_1_DEFINITION: write:*
KEYCLOAK_CLIENTS_2_PERMISSIONS_2_RESOURCE_SERVER_ID: web-modeler-api
KEYCLOAK_CLIENTS_2_PERMISSIONS_2_DEFINITION: admin:*
IDENTITY_TENANTS_0_NAME: Tenant Showcase
IDENTITY_TENANTS_0_TENANT_ID: showcase
IDENTITY_TENANTS_0_MEMBERS_0_TYPE: USER
IDENTITY_TENANTS_0_MEMBERS_0_USERNAME: demo
IDENTITY_TENANTS_0_MEMBERS_1_TYPE: APPLICATION
IDENTITY_TENANTS_0_MEMBERS_1_APPLICATION_ID: modeler-showcase
IDENTITY_TENANTS_0_MEMBERS_2_TYPE: APPLICATION
IDENTITY_TENANTS_0_MEMBERS_2_APPLICATION_ID: ${TEST_APP_CLIENT_ID}
IDENTITY_TENANTS_0_MEMBERS_3_TYPE: APPLICATION
IDENTITY_TENANTS_0_MEMBERS_3_APPLICATION_ID: ${ZEEBE_CLIENT_ID}
IDENTITY_TENANTS_0_MEMBERS_4_TYPE: USER
IDENTITY_TENANTS_0_MEMBERS_4_USERNAME: showcase-usr-modeller
IDENTITY_TENANTS_0_MEMBERS_5_TYPE: USER
IDENTITY_TENANTS_0_MEMBERS_5_USERNAME: showcase-usr-helpdesk
IDENTITY_TENANTS_0_MEMBERS_6_TYPE: USER
IDENTITY_TENANTS_0_MEMBERS_6_USERNAME: showcase-usr
IDENTITY_TENANTS_1_NAME: Default
IDENTITY_TENANTS_1_TENANT_ID: <default>
IDENTITY_TENANTS_1_MEMBERS_0_TYPE: USER
IDENTITY_TENANTS_1_MEMBERS_0_USERNAME: demo
And in my .env file I have:
........
ZEEBE_AUTHENTICATION_MODE=identity
ZEEBE_CLIENT_ID=zeebe
ZEEBE_CLIENT_SECRET=zecret
MULTI_TENANCY_ENABLED=true
# Test Configuration
TEST_APP_CLIENT_ID=wf-showcase-backend
TEST_APP_CLIENT_SECRET=wf-showcase-backend
TEST_APP_NAME=wf-showcase-backend
Hi @nathan.loding …in my case, i created my tenat “mytenant” via Identity UI and associated it with the pre-created first user “demo”
So in this case, through modeller, demo is able to deploy and run a process on “Default” tenant (empty or value)
But I have noticed that no discriminators appear in the “operate UI” and “tasklist UI”
For my custom tenant “mytanant” I still have the same previous error.
Thanks for the infor @crocie and @Cristiano_Carretti . It is possible this is a bug with the current alpha. I don’t have time to test this myself until next week, but I’ve asked the product team to see if they have any immediate thoughts.
Hi @crocie and @Cristiano_Carretti - this is currently a known issue with the <=8.8-alpha4 releases. One of the final changes in our architecture update is ensuring Identity is properly integrated within all the components - specifically Zeebe - to streamline authentication and authorization. That work is still on-going and that is the root cause of multi-tenancy not fully functioning in the alpha.
If you want to build against multi-tenancy, you can wait for a future alpha release or build against 8.7, which is the latest stable release.