Using a StorageGRID tenant account

Tenant accounts allow you to use the Simple Storage Service (S3) REST API or the Swift REST API to store and retrieve objects on a StorageGRID system.

Each tenant account supports the use of a single protocol, which is specified by the grid administrator when the account is created. To store and retrieve objects to a StorageGRID system with both protocols, you must have two tenant accounts: one for S3 buckets and objects, and one for Swift containers and objects. Each tenant account has its own federated or local groups, users, containers (buckets for S3), and objects.

Optionally, tenant accounts can be used to segregate stored objects by different entities. For example, multiple tenant accounts can be used for either of these use cases:
  • Enterprise use case: If the StorageGRID system is being used within an enterprise, the grid's object storage might be segregated by the different departments in the organization. For example, there might be tenant accounts for the Marketing department, the Customer Support department, the Human Resources department, and so on.
    Note: If you use the S3 client protocol, you can also use S3 buckets and bucket policies to segregate objects between the departments in an enterprise. You do not need to create separate tenant accounts. See instructions for implementing S3 client applications.
  • Service provider use case: If the StorageGRID system is being used by a service provider, the grid's object storage might be segregated by the different entities that lease the storage. For example, there might be tenant accounts for Company A, Company B, Company C, and so on.

Creating tenant accounts

Tenant accounts are created by a StorageGRID grid administrator using the Grid Manager. When creating a tenant account, the grid administrator specifies the following information:
  • Display name for the tenant account
  • Which client protocol will be used by the tenant account (S3 or Swift)
  • For S3 tenant accounts: Whether the tenant account has permission to use platform services. If the use of platform services is permitted, the grid must be configured to support their use.
  • Optionally, a storage quota for the tenant account—the maximum number of gigabytes, terabytes, or petabytes available for the tenant's objects. A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk).
  • If single sign-on (SSO) is not in use for the StorageGRID system, whether the tenant account will use its own identity source or share the grid's identity source, and the initial password for the tenant's local root user.
  • If SSO is enabled, which federated group has Root Access permission to configure the tenant account.

Configuring S3 tenants

After an S3 tenant account is created, you can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid), or creating local groups and users
  • Managing S3 access keys
  • Creating and managing S3 buckets
  • Using platform services (if enabled)
  • Monitoring storage usage
Attention: While you can create and manage S3 buckets with the Tenant Manager, you must have S3 access keys and use the S3 REST API to ingest and manage objects.

Configuring Swift tenants

After a Swift tenant account is created, users with the Root Access permission can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid), and creating local groups and users
  • Monitoring storage usage
Attention: Swift users must have the Root Access permission to access the Tenant Manager. However, the Root Access permission does not allow users to authenticate into the Swift REST API to create containers and ingest objects. Users must have the Administrator permission to authenticate into the Swift REST API.