Managing tenants

As a grid administrator, you create and manage the tenant accounts that S3 and Swift clients use to store and retrieve objects, monitor storage usage, and manage the actions that clients are able to perform using your StorageGRID system.

What tenant accounts are

Tenant accounts allow client applications that use the Simple Storage Service (S3) REST API or the Swift REST API to store and retrieve objects on StorageGRID.

Each tenant account supports the use of a single protocol, which you specify when you create the account. To store and retrieve objects to a StorageGRID system with both protocols, you must create two tenant accounts: one for S3 buckets and objects, and one for Swift containers and objects. Each tenant account has its own account ID, authorized groups and users, buckets or containers, and objects.

Optionally, you can create additional tenant accounts if you want to segregate the objects stored on your system by different entities. For example, you might set up multiple tenant accounts in either of these use cases:
  • Enterprise use case: If you are administering a StorageGRID system in an enterprise application, you might want to segregate the grid's object storage by the different departments in your organization. In this case, you could create tenant accounts for the Marketing department, the Customer Support department, the Human Resources department, and so on.
    Note: If you use the S3 client protocol, you can simply use S3 buckets and bucket policies to segregate objects between the departments in an enterprise. You do not need to use tenant accounts. See the instructions for implementing S3 client applications for more information.
  • Service provider use case: If you are administering a StorageGRID system as a service provider, you can segregate the grid's object storage by the different entities that will lease the storage on your grid. In this case, you would create tenant accounts for Company A, Company B, Company C, and so on.

Creating and configuring tenant accounts

When you create a tenant account, you specify the following information:
  • Display name for the tenant account.
  • Which client protocol will be used by the tenant account (S3 or Swift).
  • For S3 tenant accounts: Whether the tenant account has permission to use platform services with S3 buckets. If you permit tenant accounts to use platform services, you must ensure that the grid is configured to support their use. See Managing platform services.
  • Optionally, a storage quota for the tenant account—the maximum number of gigabytes, terabytes, or petabytes available for the tenant's objects. If the quota is exceeded, the tenant cannot create new objects.
    Note: A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk).
  • If identity federation is enabled for the StorageGRID system, which federated group has Root Access permission to configure the tenant account.
  • If single sign-on (SSO) is not in use for the StorageGRID system, whether the tenant account will use its own identity source or share the grid's identity source, and the initial password for the tenant's local root user.
After a tenant account is created, you can perform the following tasks:
  • Manage platform services for the grid: If you enable platform services for tenant accounts, ensure that you understand how platform services messages are delivered and the networking requirements that the use of platform services place on your StorageGRID deployment.
  • Monitor a tenant account's storage usage: After tenants begin using their accounts, you can use Grid Manager to monitor how much storage each tenant consumes.

    If you have set quotas for tenants, you can enable the Tenant quota usage high alert to determine if tenants are consuming their quotas. If enabled, this alert is triggered when a tenant has used 90% of its quota. For more information, see the alerts reference in the instructions for monitoring and troubleshooting StorageGRID.

  • Configure client operations: You can configure if some types of client operations are forbidden.

Configuring S3 tenants

After an S3 tenant account is created, tenant users can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid) and creating local groups and users
  • Managing S3 access keys
  • Creating and managing S3 buckets
  • Monitoring storage usage
  • Using platform services (if enabled)
Attention: S3 tenant users can create and manage S3 access key and buckets with the Tenant Manager, but they must use an S3 client application to ingest and manage objects.

Configuring Swift tenants

After a Swift tenant account is created, the tenant's root user can access the Tenant Manager to perform tasks such as the following:
  • Setting up identity federation (unless the identity source is shared with the grid), and creating local groups and users
  • Monitoring storage usage
Attention: Swift users must have the Root Access permission to access the Tenant Manager. However, the Root Access permission does not allow users to authenticate into the Swift REST API to create containers and ingest objects. Users must have the Swift Administrator permission to authenticate into the Swift REST API.