Skip to main content

Create a tenant account

Contributors netapp-lhalbert

You must create at least one tenant account to control access to the storage in your StorageGRID system.

The steps for creating a tenant account vary based on whether identity federation and single sign-on are configured and whether the Grid Manager account you use to create the tenant account belongs to an admin group with the Root access permission.

Before you begin
  • You are signed in to the Grid Manager using a supported web browser.

  • You have the Root access or Tenant accounts permission.

  • If the tenant account will use the identity source that was configured for the Grid Manager, and you want to grant Root access permission for the tenant account to a federated group, you have imported that federated group into the Grid Manager. You don't need to assign any Grid Manager permissions to this admin group. See Manage admin groups.

  • If you want to allow an S3 tenant to clone account data and replicate bucket objects to another grid using a grid federation connection:

    • You have configured the grid federation connection.

    • The status of the connection is Connected.

    • You have Root access permission.

    • You have reviewed the considerations for managing the permitted tenants for grid federation.

    • If the tenant account will use the identity source that was configured for Grid Manager, you have imported the same federated group into Grid Manager on both grids.

      When you create the tenant, you will select this group to have the initial Root access permission for both the source and destination tenant accounts.

      Tip If this admin group doesn't exist on both grids before you create the tenant, the tenant isn't replicated to the destination.

Access the wizard

Steps
  1. Select TENANTS.

  2. Select Create.

Enter details

Steps
  1. Enter details for the tenant.

    Field Description

    Name

    A name for the tenant account. Tenant names don't need to be unique. When the tenant account is created, it receives a unique, 20-digit account ID.

    Description (optional)

    A description to help identify the tenant.

    If you are creating a tenant that will use a grid federation connection, optionally, use this field to help identify which is the source tenant and which is the destination tenant. For example, this description for a tenant created on Grid 1 will also appear for the tenant replicated to Grid 2: "This tenant was created on Grid 1."

    Client type

    The type of client protocol this tenant will use, either S3 or Swift.

    Note: Support for Swift client applications has been deprecated and will be removed in a future release.

    Storage quota (optional)

    If you want this tenant to have a storage quota, a numerical value for the quota and the units.

  2. Select Continue.

Select permissions

Steps
  1. Optionally, select the basic permissions you want this tenant to have.

    Note Some of these permissions have additional requirements. For details, select the help icon for each permission.
    Permission If selected…​

    Allow platform services

    The tenant can use S3 platform services such as CloudMirror. See Manage platform services for S3 tenant accounts.

    Use own identity source

    The tenant can configure and manage its own identity source for federated groups and users. This option is disabled if you have configured SSO for your StorageGRID system.

    Allow S3 Select

    The tenant can issue S3 SelectObjectContent API requests to filter and retrieve object data. See Manage S3 Select for tenant accounts.

    Important: SelectObjectContent requests can decrease load-balancer performance for all S3 clients and all tenants. Enable this feature only when required and only for trusted tenants.

  2. Optionally, select the advanced permissions you want this tenant to have.

    Permission If selected…​

    Grid federation connection

    The tenant can use a grid federation connection, which:

    • Causes this tenant and all tenant groups and users added to the account to be cloned from this grid (the source grid) to the other grid in the selected connection (the destination grid).

    • Allows this tenant to configure cross-grid replication between corresponding buckets on each grid.

    S3 Object Lock

    Allow the tenant to use specific features of S3 Object Lock:

    • Set maximum retention period defines how long new objects added to this bucket should be retained, starting from the time they are ingested.

    • Allow compliance mode prevents users from overwriting or deleting protected object versions during the retention period.

  3. Select Continue.

Define root access and create tenant

Steps
  1. Define root access for the tenant account, based on whether your StorageGRID system uses identity federation, single sign-on (SSO), or both.

    Option Do this

    If identity federation is not enabled

    Specify the password to use when signing into the tenant as the local root user.

    If identity federation is enabled

    1. Select an existing federated group to have Root access permission for the tenant.

    2. Optionally, specify the password to use when signing in to the tenant as the local root user.

    If both identity federation and single sign-on (SSO) are enabled

    Select an existing federated group to have Root access permission for the tenant. No local users can sign in.

  2. Select Create tenant.

    A success message appears, and the new tenant is listed on the Tenants page. To learn how to view tenant details and monitor tenant activity, see Monitor tenant activity.

    Note Applying tenant settings across the grid could take 15 minutes or longer based on network connectivity, node status, and Cassandra operations.
  3. If you selected the Use grid federation connection permission for the tenant:

    1. Confirm that an identical tenant was replicated to the other grid in the connection. The tenants on both grids will have the same 20-digit account ID, name, description, quota, and permissions.

      Note If you see the error message "Tenant created without a clone," refer to the instructions in Troubleshoot grid federation errors.
    2. If you provided a local root user password when defining root access, change the password for the local root user for the replicated tenant.

      Tip A local root user can't sign in to Tenant Manager on the destination grid until the password is changed.

Sign in to tenant (optional)

As required, you can sign in to the new tenant now to complete the configuration, or you can sign in to the tenant later. The sign-in steps depend on whether you are signed in to the Grid Manager using the default port (443) or a restricted port. See Control access at external firewall.

Sign in now

If you are using…​ Do this…​

Port 443 and you set a password for the local root user

  1. Select Sign in as root.

    When you sign in, links appear for configuring buckets, identity federation, groups, and users.

  2. Select the links to configure the tenant account.

    Each link opens the corresponding page in the Tenant Manager. To complete the page, see the instructions for using tenant accounts.

Port 443 and you did not set a password for the local root user

Select Sign in, and enter the credentials for a user in the Root access federated group.

A restricted port

  1. Select Finish

  2. Select Restricted in the Tenant table to learn more about accessing this tenant account.

    The URL for the Tenant Manager has this format:

    https://FQDN_or_Admin_Node_IP:port/?accountId=20-digit-account-id/

    • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node

    • port is the tenant-only port

    • 20-digit-account-id is the tenant's unique account ID

Sign in later

If you are using…​ Do one of these…​

Port 443

  • From the Grid Manager, select TENANTS, and select Sign in to the right of the tenant name.

  • Enter the tenant's URL in a web browser:

    https://FQDN_or_Admin_Node_IP/?accountId=20-digit-account-id/

    • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node

    • 20-digit-account-id is the tenant's unique account ID

A restricted port

  • From the Grid Manager, select TENANTS, and select Restricted.

  • Enter the tenant's URL in a web browser:

    https://FQDN_or_Admin_Node_IP:port/?accountId=20-digit-account-id

    • FQDN_or_Admin_Node_IP is a fully qualified domain name or the IP address of an Admin Node

    • port is the tenant-only restricted port

    • 20-digit-account-id is the tenant's unique account ID

Configure the tenant

Follow the instructions in Use a tenant account to manage tenant groups and users, S3 access keys, buckets, platform services, and account clone and cross-grid replication.