Creating and managing tenant accounts

When you create a tenant account, you specify who can use your StorageGRID Webscale system to store and retrieve objects, and what functionality is available to them.

What tenant accounts are

Tenant accounts allow client applications that use the Simple Storage Service (S3) REST API or the Swift REST API to store and retrieve objects on StorageGRID Webscale.

Each tenant account supports the use of a single protocol, which you specify when you create the account. To store and retrieve objects to a StorageGRID Webscale system with both protocols, you must create two tenant accounts: one for S3 buckets and objects, and one for Swift containers and objects. Each tenant account has its own unique account ID, federated or local groups and users, containers (buckets for S3), and objects.

Optionally, you can create additional tenant accounts if you want to segregate the objects stored on your system by different entities. For example, you might set up multiple tenant accounts in either of these use cases:
  • Enterprise use case: If you are administering a StorageGRID Webscale system in an enterprise application, you might want to segregate the grid's object storage by the different departments in your organization. In this case, you could create tenant accounts for the Marketing department, the Customer Support department, the Human Resources department, and so on.
    Note: If you use the S3 client protocol, you can simply use S3 buckets and bucket policies to segregate objects between the departments in an enterprise. You do not need to use tenant accounts. See the instructions for implementing S3 client applications for more information.
  • Service provider use case: If you are administering a StorageGRID Webscale system as a service provider, you can segregate the grid's object storage by the different entities that will lease the storage on your grid. In this case, you would create tenant accounts for Company A, Company B, Company C, and so on.

Creating tenant accounts

When you create a tenant account, you specify the following information:
  • Display name for the tenant account (the tenant's account ID is assigned automatically and cannot be changed)
  • Which client protocol will be used by the tenant account (S3 or Swift)
  • Initial password for the tenant account’s root user
  • Whether the tenant account will use its own identity source or share the grid's identity source
  • For S3 tenant accounts: Whether the tenant account has permission to use platform services with S3 buckets. If you permit tenant accounts to use platform services, you must ensure that the grid is configured to support their use. See "Managing platform services" for more information.
  • Optionally, a storage quota for the tenant account—the maximum number of gigabytes, terabytes, or petabytes available for the tenant's objects. A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk).

Configuring S3 tenants

After an S3 tenant account is created, tenant users can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid), or creating local groups and users
  • Managing S3 access keys
  • Creating and managing S3 buckets
  • Using platform services (if enabled)
  • Monitoring storage usage
Attention: S3 tenant users can create and manage S3 buckets with the Tenant Manager, but they must have S3 access keys and use the S3 REST API to ingest and manage objects.

Configuring Swift tenants

After a Swift tenant account is created, the tenant's root user can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid), or creating local groups and users
  • Monitoring storage usage
Attention: The tenant's root user can sign in the Tenant Manager. However, the tenant's root user does not have permission to use the Swift REST API. To authenticate into the Swift REST API to create containers and ingest objects, the user must belong to a group with the Administrator permission. However, administrator users cannot sign in to the Tenant Manager.