root: Multi-tenancy (#7590)

* tenants -> brands, init new tenant model, migrate some config to tenants Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * setup logging for tenants Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * configure celery and cache Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * small fixes, runs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * task fixes, creation of tenant now works by cloning a template schema, some other small stuff Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix-tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * upstream fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix-pylint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix avatar tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * migrate config reputation_expiry as well Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix web rebase Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations for template schema Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations for template schema Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix migrations for template schema 3 Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * revert reputation expiry migration Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix type Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix some more tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * website: tenants -> brands Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * try fixing e2e tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * start frontend :help: Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add ability to disable tenants api Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * delete embedded outpost if it is disabled Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make sure embedded outpost is disabled when tenants are enabled Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * management commands: add --schema option where relevant Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * store files per-tenant Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix embedded outpost deletion Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix files migration Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add tenant api tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add domain tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add settings tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make --schema-name default to public in mgmt commands Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * sources/ldap: make sure lock is per-tenant Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix stuff I broke Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix remaining failing tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * try fixing e2e tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * much better frontend, but save does not refresh form properly Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * update django-tenants with latest fixes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * i18n-extract Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * review comments Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * move event_retention from brands to tenants Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * root: add support for storing media files in S3 Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * use permissions for settings api Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * blueprints: disable tenants management Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix embedded outpost create/delete logic Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make gen Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make sure prometheus metrics are correctly served Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * makefile: don't delete the go api client when not regenerating it Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * tenants api: add recovery group and token creation endpoints Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix startup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix prometheus metrics Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix web stuff Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix migrations from stable Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix oauth source type import Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Revert "fix oauth source type import" This reverts commit d015fd0244. * try with setting_changed signal Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * try with connection_created signal Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix scim tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix web after merge Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix enterprise settings Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "try with connection_created signal" This reverts commit 764a999db8. * Revert "try with setting_changed signal" This reverts commit 32b40a3bbb. * lib/expression: refactor expression compilation Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix django version Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix web after merge Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * relock poetry Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix reconcile Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * try running tenant save in a transaction Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * black Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * test: export postgres logs for debugging and use failfast Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test: fix container name for logs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * do not copy tenant data Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "try running tenant save in a transaction" This reverts commit da6dec5a61. * Revert "do not copy tenant data" This reverts commit d07ae9423672f068b0bd8be409ff9b58452a80f2. * Revert "Revert "do not copy tenant data"" This reverts commit 4bffb19704. * fix clone with nodata Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * why not Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * remove failfast Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove postgres query logging Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update reconcile logic to clearly differentiate between tenant and global Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix reconcile app decorator Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * enable django checks Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * actually nodata was unnecessary as we're cloning from template and not from public Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * pylint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * update django-tenants with sequence fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * actually update Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix e2e tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add tests for settings api Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * add tests for recovery api Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * recovery tests: do them on a new tenant Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * web: fix system status being degraded when embedded outpost is disabled Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix recovery tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tenants tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint-fix Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * update UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add management command to create a tenant Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * release notes Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * more docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * checklist Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * self review Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * spelling Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * make web after upgrading Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * remove extra xlif file Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * prettier Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * Revert "add management command to create a tenant" This reverts commit 39d13c0447. * split api into smaller files, only import urls when tenants is enabled Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rewite some things on the release notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * root: make sure install_id comes from public schema Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * require a license to use tenants Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix tenants tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix files migration Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * release notes: add warning about user sessions being invalidated Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * remove api disabled test, we can't test for it Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2024-01-23 14:28:06 +01:00
parent 73ddaf48be
commit abc0c2d2a2
227 changed files with 6554 additions and 2481 deletions
--- a/website/docs/advanced/tenancy.md
+++ b/website/docs/advanced/tenancy.md
@ -0,0 +1,41 @@
+---
+title: Tenancy
+---
+
+::::warning
+This feature is in alpha. Use at your own risk.
+::::
+
+::::info
+This feature is available from 2024.1.1 and is not to be confused with brands, which used to be called tenants.
+::::
+
+## Preparations
+
+Starting with 2024.1.1, authentik allows for multiple tenants to be created. This allows an operator to manage several authentik installations without having to deploy additional instances.
+
+authentik manages tenants by storing data for each tenant in a separate PostgreSQL schema.
+
+This feature needs to be enabled with the `AUTHENTIK_TENANTS__ENABLED=true`. You also need to set `AUTHENTIK_TENANTS__API_KEY` to a random string, which will be used to authenticate to the tenancy API. This key will allow the creation of recovery keys for every tenant hosted by authentik, store it securely. You will also need to disable the embedded outpost with `AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true` as it is not supported with tenants.
+
+## Usage
+
+Tenants can be created using the API routes associated. Search for `tenant` in the [API browser](../../developer-docs/api/) for the available endpoints.
+
+When creating a tenant, you must specify a `name`, used for display purposes, and a `schema_name`, used to create the PostgreSQL schema associated with the tenant. That `schema_name` must start with `t_` and not be more than 64 characters long.
+
+There is always at least one tenant, `public`. This is the default tenant and cannot be deleted. Despite its name, it is not freely available to the world. Instead, it is stored in the `public` schema of the PostgreSQL database.
+
+By default, all requests that do not explicitly belong to a tenant are redirected to the default tenant. Thus, after creating a tenant, you must associate a domain for which incoming requests will be redirected to said tenant. You can do so with API endpoints. After creating a domain `example.org` that is associated to the tenant `t_example`, all requests made to `example.org` will use the `t_example` tenant. However, requests made to `authentik.tld`, `subdomain.example.org` and all other domains will use the default tenant.
+
+::::warning
+Expression policies currently have access to all tenants.
+::::
+
+## Notes
+
+Upon creating another tenant, a new schema will be created by cloning the `template` schema. This special schema is like a tenant with no data created in it. Cloning an existing schema instead of creating a new one and running migrations on it is done for efficiency purposes.
+
+Data stored in Redis (cache, tasks, locks) will usually get its keys prefixed by the `schema_name`.
+
+Files are stored by-tenant, under a `schema_name` directory. For example, `/media/t_example`. The same is true regardless of the storage backend.
--- a/website/docs/core/tenants.md
+++ b/website/docs/core/tenants.md
@ -1,22 +1,22 @@
 ---
-title: Tenants
-slug: /tenants
+title: Brands
+slug: /brands
 ---

 authentik support soft multi-tenancy. This means that you can configure several options depending on domain, but all the objects like applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.

-The main settings that tenants influence are flows and branding.
+The main settings that brands influence are flows and branding.

 ## Flows

-authentik picks a default flow by picking the flow that is selected in the current tenant, otherwise any flow that
+authentik picks a default flow by picking the flow that is selected in the current brand, otherwise any flow that

    - matches the required designation
    - comes first sorted by slug
    - is allowed by policies

-This means that if you want to select a default flow based on policy, you can just leave the tenant default empty.
+This means that if you want to select a default flow based on policy, you can just leave the brand default empty.

 ## Branding

-The tenant can configure the branding title (shown in website document title and several other places), and the sidebar/header logo.
+The brand can configure the branding title (shown in website document title and several other places), and the sidebar/header logo.
--- a/website/docs/core/certificates.md
+++ b/website/docs/core/certificates.md
@ -100,6 +100,6 @@ services:

 Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).

-Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice.
+Navigate to _System -> Brands_, edit any brand and select the certificate of your choice.

 Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
--- a/website/docs/events/index.md
+++ b/website/docs/events/index.md
@ -8,7 +8,7 @@ Certain information is stripped from events, to ensure no passwords or other cre

 ## Event retention

-The event retention is configured on a per-tenant level, with the default being set to 365 days. For events where a related tenant cannot be found, the retention is also set to 365 days.
+The event retention is configured in the system settings interface, with the default being set to 365 days.

 If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`).

@ -45,11 +45,11 @@ A user logs in (including the source, if available)
    "client_ip": "::1",
    "created": "2023-02-15T15:33:42.771091Z",
    "expires": "2024-02-15T15:33:42.770425Z",
-    "tenant": {
+    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_tenants",
-        "name": "Default tenant",
-        "model_name": "tenant"
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
    }
 }
 ```
@ -93,11 +93,11 @@ A failed login attempt
    "client_ip": "::1",
    "created": "2023-02-15T15:32:55.319608Z",
    "expires": "2024-02-15T15:32:55.314581Z",
-    "tenant": {
+    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_tenants",
-        "name": "Default tenant",
-        "model_name": "tenant"
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
    }
 }
 ```
@ -133,11 +133,11 @@ A user logs out.
    "client_ip": "::1",
    "created": "2023-02-15T15:39:55.976243Z",
    "expires": "2024-02-15T15:39:55.975535Z",
-    "tenant": {
+    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_tenants",
-        "name": "Default tenant",
-        "model_name": "tenant"
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
    }
 }
 ```
@ -182,11 +182,11 @@ A user is written to during a flow execution.
    "client_ip": "::1",
    "created": "2023-02-15T15:41:18.411017Z",
    "expires": "2024-02-15T15:41:18.410276Z",
-    "tenant": {
+    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_tenants",
-        "name": "Default tenant",
-        "model_name": "tenant"
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
    }
 }
 ```
@ -262,11 +262,11 @@ A user authorizes an application.
    "client_ip": "::1",
    "created": "2023-02-15T10:02:48.615499Z",
    "expires": "2023-04-26T10:02:48.612809Z",
-    "tenant": {
+    "brand": {
        "pk": "10800be643d44842ab9d97cb5f898ce9",
-        "app": "authentik_tenants",
-        "name": "Default tenant",
-        "model_name": "tenant"
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
    }
 }
 ```
--- a/website/docs/flow/executors/user-settings.md
+++ b/website/docs/flow/executors/user-settings.md
@ -11,4 +11,4 @@ The user interface (`/if/user/`) embeds a downsized flow executor to allow the u
 This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
 Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.

-To configure which flow is used for this, configure it in the tenant settings.
+To configure which flow is used for this, configure it in the brand settings.
--- a/website/docs/flow/stages/authenticator_totp/index.md
+++ b/website/docs/flow/stages/authenticator_totp/index.md
@ -6,4 +6,4 @@ This stage configures a time-based OTP Device, such as Google Authenticator or A

 You can configure how many digits should be used for the OTP Token.

-The Config URL's Issuer is set based on the currently active tenant's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the tenant tile is recommended.
+The Config URL's Issuer is set based on the currently active brand's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the brand title is recommended.
--- a/website/docs/installation/configuration.mdx
+++ b/website/docs/installation/configuration.mdx
@ -130,6 +130,22 @@ To check if your config has been applied correctly, you can run the following co

    Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as `X-Forwarded-For`. Requests coming from other addresses will not be able to set these headers.

+## Media Storage Settings
+
+These settings affect where media files are stored. Those files include applications and sources icons. By default, they are stored on disk in the `/media` directory of the authentik container. S3 storage is also supported.
+
+-   `AUTHENTIK_STORAGE_MEDIA_BACKEND`: Where to store files. Valid values are `file` and `s3`. For `file` storage, files are stored in a `/media` directory in the container. For `s3`, see below.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_REGION`: S3 region where the bucket has been created. May be omitted depending on which S3 provider you use. No default.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_USE__SSL`: Whether to use HTTPS when talking to the S3 storage providers. Defaults to `true`.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_ENDPOINT`: Endpoint to use to talk to the S3 storage provider. Override the previous region and use_ssl settings. Must be a valid URL in the form of `https://s3.provider`. No default.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_SESSION__PROFILE`: Profile to use when using AWS SDK authentication. No default. Supports hot-reloading.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_ACCESS__KEY`: Access key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_SECRET__KEY`: Secret key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_SECURITY__TOKEN`: Security token to authenticate to S3. May be omitted. Supports hot-reloading.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_BUCKET__NAME`: Name of the bucket to use to store files.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_CUSTOM__DOMAIN`: Domain to use to create URLs for users. Mainly useful for non-AWS providers. May include a port. Must include the bucket. Example: `s3.company:8080/authentik-media`.
+-   `AUTHENTIK_STORAGE_MEDIA_S3_SECURE__URLS`: Whether URLS created for users use `http` or `https`. Defaults to `true`.
+
 ## authentik Settings

 ### `AUTHENTIK_SECRET_KEY`
--- a/website/docs/installation/storage-s3.md
+++ b/website/docs/installation/storage-s3.md
@ -0,0 +1,104 @@
+---
+title: S3 storage setup
+---
+
+### Preparation
+
+First, create a user on your S3 storage provider and get access credentials for S3, hereafter referred as `access_key` and `secret_key`.
+
+You'll also need to know which endpoint authentik is going to use to access the S3 API, hereafter referred as `https://s3.provider`.
+
+The bucket in which authentik is going to store files is going to be called `authentik-media`. You may need to change this name depending on your S3 provider limitations. Also, we're suffixing the bucket name with `-media` as authentik currently only stores media files, but may use other buckets in the future.
+
+The domain used to access authentik is going to be referred to as `authentik.company`.
+
+You will also need the AWS CLI.
+
+### S3 configuration
+
+#### Bucket creation
+
+Let's create the bucket in which authentik is going to store files:
+
+```bash
+AWS_ACCESS_KEY_ID=access_key AWS_SECRET_ACCESS_KEY=secret_key aws s3api --endpoint-url=https://s3.provider create-bucket --bucket=authentik-media --acl=private
+```
+
+If using AWS S3, you can omit the `--endpoint-url` option, but may need to specify the `--region` option. If using Google Cloud Storage, refer to its documentation on how to create buckets.
+
+The bucket ACL is set to private, although that is not strictly necessary, as an ACL associated with each object stored in the bucket will be private as well.
+
+#### CORS policy
+
+Next, let's associate a CORS policy to the bucket, to allow the authentik web interface to show images stored in the bucket.
+
+First, save the following file locally as `cors.json`:
+
+```json
+{
+    "CORSRules": [
+        {
+            "AllowedOrigins": ["authentik.company"],
+            "AllowedHeaders": ["Authorization"],
+            "AllowedMethods": ["GET"],
+            "MaxAgeSeconds": 3000
+        }
+    ]
+}
+```
+
+If authentik is accessed from multiple domains, you can add them to the `AllowedOrigins` list.
+
+Let's apply that policy to the bucket:
+
+```bash
+AWS_ACCESS_KEY_ID=access_key AWS_SECRET_ACCESS_KEY=secret_key aws s3api --endpoint-url=https://s3.provider put-bucket-cors --bucket=authentik-media --cors-configuration=file://cors.json
+```
+
+### Configuring authentik
+
+Add the following to your `.env` file:
+
+```env
+AUTHENTIK_STORAGE_MEDIA_BACKEND=s3
+AUTHENTIK_STORAGE_MEDIA_S3_ACCESS__KEY=access_key
+AUTHENTIK_STORAGE_MEDIA_S3_SECRET__KEY=secret_key
+AUTHENTIK_STORAGE_MEDIA_S3_BUCKET__NAME=authentik-media
+```
+
+If you're using AWS S3 as your S3 provider, add the following:
+
+```env
+AUTHENTIK_STORAGE_MEDIA_S3_REGION=us-east-1  # Use the region of the bucket
+```
+
+If you're not using AWS S3 as your S3 provider, add the following:
+
+```env
+AUTHENTIK_STORAGE_MEDIA_S3_ENDPOINT=https://s3.provider
+AUTHENTIK_STORAGE_MEDIA_S3_CUSTOM__DOMAIN=s3.provider/authentik-media
+```
+
+The `ENDPOINT` setting specifies how authentik talks to the S3 provider.
+
+The `CUSTOM__DOMAIN` setting specifies how URLs are constructed to be shown on the web interface. For example, an object stored at `application-icons/application.png` with a `CUSTOM__DOMAIN` setting of `s3.provider/authentik-media` will result in a URL of `https://s3.provider/authentik-media/application-icons/application.png`. You can also use subdomains for your buckets depending on what your S3 provider offers: `authentik-media.s3.provider`. Whether HTTPS is used is controlled by the `AUTHENTIK_STORAGE_MEDIA_S3_SECURE__URLS` which defaults to true.
+
+For more control over settings, refer to the [configuration reference](./configuration.mdx#media-storage-settings)
+
+### Migrating between storage backends
+
+The following section assumes that the local storage path is `/media` and the bucket name is `authentik-media`. It also assumes you have a working `aws` CLI that can interact with the bucket.
+
+#### From file to s3
+
+Follow the setup steps above, and then migrate the files from your local directory to s3:
+
+```bash
+aws s3 sync /media s3://authentik-media
+```
+
+#### From s3 to file
+
+```bash
+aws s3 sync s3://authentik-media /media
+```
--- a/website/docs/interfaces/flow/customization.mdx
+++ b/website/docs/interfaces/flow/customization.mdx
@ -1,6 +1,6 @@
 # Customization

-Since flows can be executed authenticated or unauthenticated, the default settings can be set via tenants _attributes_.
+Since flows can be executed authenticated or unauthenticated, the default settings can be set via brands _attributes_.

 ### `settings.theme.base`

--- a/website/docs/providers/oauth2/device_code.md
+++ b/website/docs/providers/oauth2/device_code.md
@ -6,7 +6,7 @@ This type of authentication flow is useful for devices with limited input abilit

 ### Requirements

-This device flow is only possible if the active tenant has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.
+This device flow is only possible if the active brand has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.

 authentik doesn't ship with a default flow for this usecase, so it is recommended to create a new flow for this usecase with the designation of _Stage configuration_

--- a/website/docs/releases/2024/v2024.1.md
+++ b/website/docs/releases/2024/v2024.1.md
@ -1,10 +1,43 @@
 ---
 title: Release 2024.1
-slug: "/releases/2024.1"
+slug: /releases/2024.1
 ---

 ## Breaking changes

+-   Tenants have been renamed to brands
+
+    The API endpoints associated with brands have also been renamed.
+
+    Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
+
+-   The following config options have been moved from the config file and can now be set using the admin interface (under **System** -> **Settings**) or the API:
+
+    -   `AUTHENTIK_AVATARS`
+    -   `AUTHENTIK_DEFAULT_USER_CHANGE_NAME`
+    -   `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`
+    -   `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`
+    -   `AUTHENTIK_GDPR_COMPLIANCE`
+    -   `AUTHENTIK_IMPERSONATION`
+    -   `AUTHENTIK_FOOTER_LINKS`
+    -   `AUTHENTIK_REPUTATION__EXPIRY`
+
+    When upgrading to 2024.1, the currently configured options will be automatically migrated to the database, and can be removed from the `.env` or helm values file afterwards.
+
+-   Required `offline_access` scope for Refresh tokens
+
+    The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
+
+    Applications which require will need their configuration update to include the `offline_access` scope mapping.
+
+-   The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).
+
+    There is no built-in migration path for this change. If you set something other than the default (`days=365`), you will need to update the setting in the admin interface.
+
+-   authentik now uses PostgreSQL schemas other than `public`.
+
+    If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
+
 -   Removal of deprecated metrics

    -   `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
@ -17,20 +50,34 @@ slug: "/releases/2024.1"
    -   `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
    -   `authentik_main_requests` -> `authentik_main_request_duration_seconds`

-   Required `offline_access` scope for Refresh tokens
+-   Icons are now in a `public/` subfolder

-    The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
+    If your media folder is `/media`, icons are now stored in `/media/public`. authentik will automatically migrate the icons upon upgrading.

-    Applications which require will need their configuration update to include the `offline_access` scope mapping.
+-   The shorthand parameter for `--stage`, `-s` for the `ak test_email` command has been changed to `-S`
+
+-   User sessions will be invalidated after this upgrade. As such, users will need to log back in.

 -   The Helm Chart has a number of breaking changes. Find out more in the [chart release notes](https://github.com/goauthentik/helm/releases/tag/authentik-2024.1.0).

 ## New features

+-   Tenancy <span class="badge badge--primary">Enterprise</span>
+
+    :::warning
+    This feature is in early preview. Use at your own risk.
+    :::
+
+    It allows for authentik operators to manage several authentik installations without having to deploy additional instances.
+
 -   "Pretend user exists" option for Identification stage

    Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**

+-   S3 file storage
+
+    Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started.
+
 ## Upgrading

 This release does not introduce any new requirements.
--- a/website/docs/troubleshooting/emails.md
+++ b/website/docs/troubleshooting/emails.md
@ -9,10 +9,10 @@ Some hosting providers block outgoing SMTP ports, in which case you'll have to h
 To test if an email stage, or the global email settings are configured correctly, you can run the following command:

 ```
-ak test_email <to address> [-s <stage name>]
+ak test_email <to address> [-S <stage name>]
 ```

-If you omit the `-s` parameter, the email will be sent using the global settings. Otherwise, the settings of the specified stage will be used.
+If you omit the `-S` parameter, the email will be sent using the global settings. Otherwise, the settings of the specified stage will be used.

 To run this command with docker-compose, use