Create a tenant account
You must create at least one tenant account to control access to the storage in your StorageGRID system.
The steps for creating a tenant account vary based on whether identity federation and single sign-on are configured and whether the Grid Manager account you use to create the tenant account belongs to an admin group with the Root access permission.
-
You are signed in to the Grid Manager using a supported web browser.
-
You have the Root access or Tenant accounts permission.
-
If the tenant account will use the identity source that was configured for the Grid Manager, and you want to grant Root access permission for the tenant account to a federated group, you have imported that federated group into the Grid Manager. You don't need to assign any Grid Manager permissions to this admin group. See Manage admin groups.
-
If you want to allow an S3 tenant to clone account data and replicate bucket objects to another grid using a grid federation connection:
-
The status of the connection is Connected.
-
You have Root access permission.
-
You have reviewed the considerations for managing the permitted tenants for grid federation.
-
If the tenant account will use the identity source that was configured for Grid Manager, you have imported the same federated group into Grid Manager on both grids.
When you create the tenant, you will select this group to have the initial Root access permission for both the source and destination tenant accounts.
If this admin group doesn't exist on both grids before you create the tenant, the tenant isn't replicated to the destination.
Access the wizard
-
Select TENANTS.
-
Select Create.
Enter details
-
Enter details for the tenant.
Field Description Name
A name for the tenant account. Tenant names don't need to be unique. When the tenant account is created, it receives a unique, 20-digit account ID.
Description (optional)
A description to help identify the tenant.
If you are creating a tenant that will use a grid federation connection, optionally, use this field to help identify which is the source tenant and which is the destination tenant. For example, this description for a tenant created on Grid 1 will also appear for the tenant replicated to Grid 2: "This tenant was created on Grid 1."
Client type
The type of client protocol this tenant will use, either S3 or Swift.
Note: Support for Swift client applications has been deprecated and will be removed in a future release.
Storage quota (optional)
If you want this tenant to have a storage quota, a numerical value for the quota and the units.
-
Select Continue.
Select permissions
-
Optionally, select the basic permissions you want this tenant to have.
Some of these permissions have additional requirements. For details, select the help icon for each permission. Permission If selected… Allow platform services
The tenant can use S3 platform services such as CloudMirror. See Manage platform services for S3 tenant accounts.
Use own identity source
The tenant can configure and manage its own identity source for federated groups and users. This option is disabled if you have configured SSO for your StorageGRID system.
Allow S3 Select
The tenant can issue S3 SelectObjectContent API requests to filter and retrieve object data. See Manage S3 Select for tenant accounts.
Important: SelectObjectContent requests can decrease load-balancer performance for all S3 clients and all tenants. Enable this feature only when required and only for trusted tenants.
-
Optionally, select the advanced permissions you want this tenant to have.
Permission If selected… Grid federation connection
The tenant can use a grid federation connection, which:
-
Causes this tenant and all tenant groups and users added to the account to be cloned from this grid (the source grid) to the other grid in the selected connection (the destination grid).
-
Allows this tenant to configure cross-grid replication between corresponding buckets on each grid.
S3 Object Lock
Allow the tenant to use specific features of S3 Object Lock:
-
Set maximum retention period defines how long new objects added to this bucket should be retained, starting from the time they are ingested.
-
Allow compliance mode prevents users from overwriting or deleting protected object versions during the retention period.
-
-
Select Continue.
Define root access and create tenant
-
Define root access for the tenant account, based on whether your StorageGRID system uses identity federation, single sign-on (SSO), or both.
Option Do this If identity federation is not enabled
Specify the password to use when signing into the tenant as the local root user.
If identity federation is enabled
-
Select an existing federated group to have Root access permission for the tenant.
-
Optionally, specify the password to use when signing in to the tenant as the local root user.
If both identity federation and single sign-on (SSO) are enabled
Select an existing federated group to have Root access permission for the tenant. No local users can sign in.
-
-
Select Create tenant.
A success message appears, and the new tenant is listed on the Tenants page. To learn how to view tenant details and monitor tenant activity, see Monitor tenant activity.
Applying tenant settings across the grid could take 15 minutes or longer based on network connectivity, node status, and Cassandra operations. -
If you selected the Use grid federation connection permission for the tenant:
-
Confirm that an identical tenant was replicated to the other grid in the connection. The tenants on both grids will have the same 20-digit account ID, name, description, quota, and permissions.
If you see the error message "Tenant created without a clone," refer to the instructions in Troubleshoot grid federation errors. -
If you provided a local root user password when defining root access, change the password for the local root user for the replicated tenant.
A local root user can't sign in to Tenant Manager on the destination grid until the password is changed.
-
Sign in to tenant (optional)
As required, you can sign in to the new tenant now to complete the configuration, or you can sign in to the tenant later. The sign-in steps depend on whether you are signed in to the Grid Manager using the default port (443) or a restricted port. See Control access at external firewall.
Sign in now
If you are using… | Do this… |
---|---|
Port 443 and you set a password for the local root user |
|
Port 443 and you did not set a password for the local root user |
Select Sign in, and enter the credentials for a user in the Root access federated group. |
A restricted port |
|
Sign in later
If you are using… | Do one of these… |
---|---|
Port 443 |
|
A restricted port |
|
Configure the tenant
Follow the instructions in Use a tenant account to manage tenant groups and users, S3 access keys, buckets, platform services, and account clone and cross-grid replication.