Creating a tenant account if StorageGRID is not using SSO

When you create a tenant account, you specify a name, a client protocol, and optionally a storage quota. If StorageGRID is not using single sign-on (SSO), you must also specify whether the tenant account will use its own identity source and configure the initial password for the tenant's local root user.

Steps

  1. In the Display Name text box, enter a display name for this tenant account.
    Display names do not need to be unique. When the tenant account is created, it receives a unique, numeric Account ID.
  2. Select the client protocol that will be used by this tenant account, either S3 or Swift.
  3. For S3 tenant accounts, uncheck the Allow Platform Services check box if you do not want this tenant to use platform services for S3 buckets.

    If platform services are enabled, a tenant can use features, such as CloudMirror replication, that access external services. You might want to disable the use of these features to limit the amount of network bandwidth or other resources a tenant consumes. See "Managing platform services."

  4. In the Storage Quota text box, optionally enter the maximum number of gigabytes, terabytes, or petabytes that you want to make available for this tenant's objects. Then, select the units from the drop-down list.

    Leave this field blank if you want this tenant to have an unlimited quota.

    Note: A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk). ILM copies and erasure coding do not contribute to the amount of quota used. If the quota is exceeded, the tenant account cannot create new objects.
    Note: To monitor each tenant account's storage usage, select Usage. Tenant accounts can also monitor their own storage usage from the Dashboard in the Tenant Manager or with the Tenant Management API. Note that a tenant's storage usage values might become out of date if nodes are isolated from other nodes in the grid. The totals will be updated when network connectivity is restored.
  5. Determine if the tenant will use the identity source that was configured for the Grid Manager:
    If the tenant will... Do this...
    Manage its own groups and users
    1. Select the Uses Own Identity Source check box (default).
      Note: If this check box is selected and you want to use identity federation for tenant groups and users, the tenant must configure its own identity source. See the instructions for using tenant accounts.
    2. Specify a password for the tenant's local root user.
    Use the groups and users configured for the Grid Manager
    1. Uncheck the Uses Own Identity Source check box.
    2. Do either or both of the following:
      • Specify which existing federated group should have the initial Root Access permission for the tenant.
        Note: If you have adequate permissions, the existing federated groups from the Grid Manager are listed when you click the field. Otherwise, enter the group's unique name.
      • Specify a password for the tenant's local root user.
  6. Click Save.
    The tenant account is created.
  7. Optionally, access the new tenant. Otherwise, go to step 9.
    If you are... Do this...
    Accessing the Grid Manager on a restricted port Click Restricted to learn more about accessing this tenant account.
    The URL for the Tenant Manager has this format:
    https://FQDN_or_Admin_Node_IP:port/?accountId=20-digit-account-id/
    • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node
    • port is the tenant-only port
    • 20-digit-account-id is the tenant's unique account ID
    Accessing the Grid Manager on port 443 but you did not set a password for the local root user Click Sign In, and enter the credentials for a user in the Root Access federated group.
    Accessing the Grid Manager on port 443 and you set a password for the local root user Go to step 8.
  8. Sign in to the tenant:
    1. From the Configure Tenant Account dialog box, click the Sign in as root button.

      Screenshot of Step 2 - Configure Tenant Account

      A green check mark appears on the button, indicating that you are now signed in to the tenant account as the root user.


      Sign in as root
    2. Click the links to configure the tenant account.
      Each link opens the corresponding page in the Tenant Manager. To complete the page, see the instructions for using tenant accounts.
    3. Click Finish.
  9. To access the tenant later:
    If you are using ... Do one of these....
    Port 443
    • From the Grid Manager, select Tenants, and click Sign in to the right of the tenant name.
    • Enter the tenant's URL in a web browser:
      https://FQDN_or_Admin_Node_IP/?accountId=20-digit-account-id/
      • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node
      • 20-digit-account-id is the tenant's unique account ID
    A restricted port
    • From the Grid Manager, select Tenants, and click Restricted.
    • Enter the tenant's URL in a web browser:
      https://FQDN_or_Admin_Node_IP:port/?accountId=20-digit-account-id
      • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node
      • port is the tenant-only restricted port
      • 20-digit-account-id is the tenant's unique account ID