KX self-service licensing
This document gives an overview of the KX self-service licensing application,
which provides the ability to self-generate licenses for kdb+, kdb Insights and kdb Insights Enterprise.
If you are an existing KX user, this provides an alternative to
k4.lic licensing via firstname.lastname@example.org.
Since this is self-service, this allows you to elastically scale your deployments vertically or horizontally in a
Additionally self-service licenses are consumption-based. They capture metered usage for shipping back to KX and consumption-based billing.
Other notable features are worth highlighting;
- fully automated license renewals
- automated usage log shipping
- self-managed organisational units and user management
- email-based authentication
The motivation for building this application was to streamline the licensing process. You now have the power to manage your own licenses, scale on-demand, and only pay for what you use.
Before proceeding any further, this section describes the system architecture and some important concepts.
The application implements a client-server architecture, with a client-side tool klic interacting with a KX-hosted license server on the public Internet.
The majority of license management actions need to be performed on an Internet connected machine. These do not need to be performed within the environment the license will be installed to.
'Bastion' modes are supported for any operations that need to run within the environment. This involves an Internet-connected bastion host with a connection into the offline target machine.
In order to generate licenses and take advantage of the full features of the self-service licensing application, you will need to become familiar with the important concepts and organisational units. This section describes these entities.
As a prerequisite to generating licenses, you must set up: - Tenants - Entitlements - Environments
A tenant is an organisational unit (or SKU) used to manage your licenses, administer access to your users and other functions detailed later.
Once you have created a tenant, KX will provide you with an entitlement. This provides you the ability to create licenses and controls the available functionality to you, i.e. kdb+, kdb Insights or kdb Insights Enterprise software/license features, license duration, where you can deploy.
Generally a single tenant is suitable for most use-cases. However in cases where there are different divisions of a company, you may want to segregate them, especially if they have different entitlements. A single tenant may have multiple entitlements but segregating might be preferable.
An environment is where kdb+, kdb Insights or kdb Insights Enterprise is going to be deployed; for example, an on-prem server, a Cloud VM, Docker container, Kubernetes cluster. A tenant will likely contain a variety of different environments. The environment captures an identity (set of unique identifiers) for the deployment host.
A license is created from an environment. It contains part of the environment identity and kdb+, kdb Insights or kdb Insights Enterprise will validate the license against the environment identity at runtime. This prevents a license from one environment being run in another.
The diagram below shows an example hierarchy of a single company with two tenants.
Entitlements determine how kdb+, kdb Insights or kdb Insights Enterprise can be deployed and used. There are three parameters that control this.
tier a tier corresponds to a set of kdb+, kdb Insights or kdb Insights Enterprise features. KX will assign a tier to your entitlement and this will define what products you can use. You can describe your entitlement to check the tier.
duration this defines the number of days your license will be valid before it needs to be renewed. Typically this is 90 days, meaning your licenses will need to be renewed at that frequency.
scope the scope relates to where the license will run. There are two possible scopes;
localallows licenses to be created for single-server deploys, and
globalallows for multi-server deploys, e.g. Kubernetes clusters, Cloud accounts.
The majority of the license and tenant management is performed by a logged-in, human user. However certain tasks are suitable for automation. For this you can create a service account and automate license renewals and usage log shipping. Creating a service account generates a token, which can be used in scripts to perform these tasks.
Groups are used to manage access to and roles within a tenant. When you create a tenant it will automatically create an owner group. This group allows you to specify users or email domains to control who has access to manage the tenant.
There are three group roles supported;
- owner - an admin for the tenant and can manage the tenant, create licenses, groups, add permissions.
- editor - can create environments, licenses
- viewer - can read settings and submit usage data
The application provides several options for the following types of environments.
- bare metal
- virtual machines
- cloud instances
- Kubernetes (k8s) and