Dify Manual Tenant Creation Guide: Backend Database and Key Configuration Details

Foreword: Why do I need to create a Dify workspace manually?

Typically.Dify Workspaces (or "tenants") are created through their graphical interface. However, in certain scenarios, such as automated deployments, batch tenant creation, data migration, or management in a server environment without a front-end interface, manually creating workspaces directly from the database and command line becomes an efficient solution.

This guide will detail how to manually create a step-by-step Dify Workspace. Before you start, make sure you have the following in place:

• right Dify The file system of the back-end server has read and write permissions.
• accessible Dify (used form a nominal expression) PostgreSQL Database.
• The system is installed with the OpenSSL Command Line Tools.

Step 1: Prepare and insert database records

The centerpiece of creating a new workspace is adding two key records to the database: one in the tenants table to define the new tenant, and another entry in the tenant_account_joins The table associates a tenant with an existing account.

1. Access account_id

First, you need a user account to be the owner of the new workspace. The ID of this account, the account_idthat is the basis for subsequent operations. You can do this by querying the accounts table to get the ID of an existing user.

For example, finding a user's mailbox through the account_id::

SELECT id FROM accounts WHERE email = 'user@example.com';

Make a note of the query UUID formalized account_idThe

2. Insertion of tenants and associated records

gain account_id After that, execute the following SQL statement to create a new tenant and establish an association. Please replace the placeholders in the statement with your actual values.

• tenants a meter (measuring sth): Defines basic information about the workspace.
• tenant_account_joins a meter (measuring sth): Set the specified account as "OWNER" for this workspace.

-- 向 tenants 表插入新工作空间记录，将 'My New Workspace' 替换为你的工作空间名称
INSERT INTO tenants (id, name, plan, status, created_at, updated_at) 
VALUES (uuid_generate_v4(), 'My New Workspace', 'professional', 'active', now(), now())
RETURNING id; -- 执行后会返回新生成的 tenant_id，请务必记下它
-- 向 tenant_account_joins 表插入关联记录
-- 将 '<the_tenant_id_from_above>' 替换为上一步返回的 tenant_id
-- 将 '<your_account_id>' 替换为你在 1.1 节获取的 account_id
INSERT INTO tenant_account_joins (tenant_id, account_id, role, created_at, updated_at) 
VALUES ('<the_tenant_id_from_above>', '<your_account_id>', 'owner', now(), now());

Implementation of article 1 INSERT command, the database returns a newly generated tenant_id. This. ID It is vital that you copy it and save it, as all subsequent steps will revolve around it.

Attachment: Data sheet structure reference

tenants table structure

tenant_account_joins Table Structure

P.S. Role and status descriptions

Tenant Account Role (role)

Account Status (status)

Step 2: Generate RSA Key Pairs

Every workspace needs a pair of RSA Keys are used for data encryption. This includes a private key and a public key.

1. Generation of private keys

Perform the following OpenSSL command to generate a 2048 local RSA private key and save it as private.pem Documentation.genpkey is the recommended modern command that passes the -algorithm The parameter specifies that the algorithm is RSAand through -pkeyopt Set the key length.

openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048

2. Extracting public keys

Next, from the private key just generated private.pem The corresponding public key is extracted in the public.pem Documentation.rsa subcommand coordination -pubout option is used exclusively for this purpose.

openssl rsa -pubout -in private.pem -out public.pem

After execution, you will get private.pem(private key) and public.pem(public key) two files.

Step 3: Update the public key to the database

show (a ticket) public.pem file, copy the -----BEGIN PUBLIC KEY----- cap (a poem) -----END PUBLIC KEY----- the entire contents between them. Then, use this public key string to update the tenants Table corresponding to the tenant's encrypt_public_key Fields.

Perform the following SQL command, remember to replace the placeholders:

-- 将 '<the_tenant_id_from_step_1>' 替换为第一步中记下的 tenant_id
-- 将 '<your_public_key_string>' 替换为你复制的公钥内容
UPDATE tenants 
SET encrypt_public_key = '<your_public_key_string>' 
WHERE id = '<the_tenant_id_from_step_1>';

Step 4: Deploy the private key file

The final step is to take the generated private key file private.pem put Dify in the directory structure expected by the back-end application.Dify It will be based on the tenant's ID Dynamically load the corresponding private key.

commander-in-chief (military) private.pem The file is moved or copied to the following path:

dify/api/privkeys/{tenant_id}/private.pem

please include {tenant_id} Replace it with the actual one you got in step 1 tenant_id. If privkeys directory does not exist in a directory that begins with your tenant_id named folder, you need to create it manually.

For security reasons, it is highly recommended to set the access rights to the private key file to ensure that only those running the Dify Users of the service can read it:

chmod 600 dify/api/privkeys/{tenant_id}/private.pem

After completing all the above steps, the new workspace has been successfully created and configured.