5点23分,隔壁租户的Agent发疯烧光了GPU配额。幸好我们做了隔离。
多租户隔离是OpenClaw的企业级核心能力。当多个团队或客户共享同一个OpenClaw实例时,你需要确保它们之间互不干扰——就像合租房里,每个人有自己的房间、自己的钥匙、自己的冰箱格子。多租户隔离就是给每个「租户」一间独立的「房间」。
# 创建新租户
openclaw tenant create \
--name "team-alpha" \
--display-name "Alpha团队" \
--owner "alice@example.com" \
--labels team=alpha,env=production
# 查看租户列表
openclaw tenant list
# 获取租户详情
openclaw tenant get team-alpha# quota-config.yaml
apiVersion: openclaw.io/v1
kind: TenantQuota
metadata:
name: team-alpha-quota
tenant: team-alpha
spec:
compute:
maxConcurrentSessions: 10
maxAgentsPerSession: 5
gpuMemoryLimit: "8GB"
cpuLimit: "4 cores"
storage:
maxSessionAge: "30d"
maxTotalStorage: "10GB"
maxSnapshots: 50
api:
rateLimit:
requestsPerMinute: 200
tokensPerDay: 500000
maxModelTier: "pro" # 限制可用模型等级
network:
allowedDomains:
- "github.com"
- "api.openai.com"
- "company-internal.com"
blockedDomains:
- "evil.com"
maxOutboundRequests: 1000/hour# data-isolation-config.yaml
isolation:
level: "strict" # none | basic | strict | airgap
strict:
# 禁止跨租户数据访问
crossTenantAccess: false
# 独立存储
storage:
separate: true
encryptionKey: "tenant-specific"
# 独立模型上下文
context:
isolation: true
noSharedPrompts: true
# 日志隔离
logs:
separate: true
accessPolicy: "owner-only"
airgap:
# 网络隔离
network:
isolated: true
allowedCidr: ["10.0.1.0/24"]
# 无外部API访问
externalAccess: false| 规模 | 隔离级别 | 推荐场景 |
|---|---|---|
| 个人/小团队 | basic |
共享实例,基础数据隔离 |
| 部门/团队 | strict |
完全数据隔离+配额管理 |
| 企业/客户 | airgap |
网络隔离+最高安全等级 |
const { OpenClawAdmin } = require('@openclaw/admin-sdk');
async function setupTenant(config) {
const admin = new OpenClawAdmin({
apiKey: process.env.ADMIN_API_KEY
});
// 1. 创建租户
const tenant = await admin.tenants.create({
name: config.name,
displayName: config.displayName,
owner: config.owner,
labels: config.labels
});
// 2. 设置配额
await admin.tenants.setQuota(tenant.id, {
compute: {
maxConcurrentSessions: config.maxSessions,
gpuMemoryLimit: config.gpuLimit
},
api: {
rateLimit: { requestsPerMinute: config.rpm },
maxModelTier: config.modelTier
}
});
// 3. 配置隔离策略
await admin.tenants.setIsolation(tenant.id, {
level: config.isolationLevel,
crossTenantAccess: false,
separateStorage: true
});
// 4. 初始化默认Agent
const agent = await admin.tenants.createAgent(tenant.id, {
name: `${config.name}-default`,
model: config.defaultModel,
skills: ['web-search', 'file-ops']
});
console.log(`租户 ${config.name} 创建完成`);
console.log(`Agent ID: ${agent.id}`);
return { tenant, agent };
}async function tenantHealthReport() {
const admin = new OpenClawAdmin();
const tenants = await admin.tenants.list();
const report = await Promise.all(tenants.map(async (tenant) => {
const usage = await admin.tenants.getUsage(tenant.id);
const health = await admin.tenants.healthCheck(tenant.id);
return {
name: tenant.name,
status: health.status,
sessionCount: usage.activeSessions,
tokenUsage: `${usage.tokensUsed}/${usage.tokenQuota}`,
storageUsage: `${usage.storageUsed}/${usage.storageQuota}`,
alerts: health.alerts
};
}));
// 生成汇总报告
console.table(report);
return report;
}📅 更新时间:2026-05-11 | 📖 更多OpenClaw教程请访问 工具教程索引