Articles in this section

Creating Tenants

Sara Levy
  • Updated
Follow

Creating a Tenant from the VAST Web UI

  1. From the left navigation menu, select Element Store and then Tenants.

  2. Click Create Tenant.

  3. Complete the fields in the General tab:

    Name

    Enter a name for the tenant.

    Trash folder GID

    If you want to allow access to the trash folder for non-root NFSv3 users serviced by the tenant, enter the GID of a user group that you want to use for this purpose in the Trash folder GID field. Users who belong to this group will have permission to move files into the trash folder.

    By default, the operation of moving files into the trash folder is supported for the root user only.

    Default share-level ACL

    Optionally set the default 'Everyone' Group share-level permission for the tenant. This default permission affects all views associated with the tenant where share-level ACL is disabled. The permission can be set to Read, Change or Full Control. By default, it is set to Full C-ntrol.

    For more information about share-level ACLs , see Share-Level ACLs.

    Encryption Group

    If encryption is enabled on the cluster with external key management (EKM), enter a string identifier for the tenant's encryption group for encryption group management.

    You can optionally provide the same encryption group for more than one tenant if you want to join multiple tenants to the same encryption group on the EKM. Tenants that belong to the same group will be managed by the same encryption key.

    Valid format: string, up to 128 characters

    Encryption Group is required if EKM encryption is enabled.

    The encryption group cannot be changed after creating the tenant.

    For more information about EKM encryption, see Encryption of Data at Rest.

    Privileged users and groups

    Enable privileged domain user restore access

    • Enabled (default). The SMB privileged user is enabled.

    • Disabled. The SMB privileged user is disabled.

    Enable privileged domain group backup access

    • Enabled (default). The SMB privileged user group is enabled.

    • Disabled. The SMB privileged user group is disabled.

    Enable privileged group restore access

    • Enabled (default). The SMB privileged user group has read and write control access. Members of the group can perform backup and restore operations on all files and directories, without requiring read or write access to the specific files and directories.

    • Disabled. The SMB privileged user group has read control access. Members of the group can perform backup operations on all files and directories without requiring read access to the specific files and directories. They cannot perform restore operations without write access to the specific files and directories.

    Logon name of the privileged domain user

    Optional custom user name for the SMB privileged user. If not set, the user name is 'vastadmin'.

    SID of the privileged domain group

    Specify a custom group SID in order to have a working privileged group with backup operator privileges. If not set, the SMB privileged group is set to the Backup Operators domain group (S-1-5-32-551), which, due to a known issue, does not receive backup operator privileges.

    BUILTIN\Administrators group name

    Optional custom name to set for a non-default privileged group. If not specified, the privileged group name is Backup Operators.

  4. On the Providers tab:

    1. Select which external authorization providers should be enabled for the tenant. Providers configured on the cluster are available for you to select up to one of each type (Active Directory, LDAP and NIS), subject to combination restrictions per tenant described in Authorization Providers in VAST Cluster.

    2. If you enable more than one provider:

      • Select one of the providers from the POSIX Primary Provider dropdown to take precedence over the other providers in case of any conflicts between attribute values when user information is retrieved from the providers.

      • In the Login Name Primary Provider field. select one of the providers as the primary provider for the user's login name.

  5. On the Tenant Access tab, configure tenant access. These settings are optional. See Providing Client Access to Tenants for more information.

    Client IP Ranges List

    Use this section to specify which client IPs can access the tenant.

    Note

    The use of client source IPs for access to a tenant that is associated with an AD is only supported if the AD is SMB allowed.

    • To add a range of client IPs, click Add IP Range and then enter the Start IP and End IP for the range.

    • To remove a range, click the Remove button for the range.

    VIP Pool Ranges List

    Use this section to control which VIP pools are dedicated to the tenant:

    • To dedicate a VIP pool to the tenant, select the VIP pool from the dropdown.

      The VIP pool is added to the list of VIP pools.

    • To make a VIP pool that is already dedicated to the tenant global (available to all tenants), click the Make Global button for the VIP pool.

  6. Click Create.

    The tenant is created and appears in the listing of tenants in the Tenants tab.

Creating a Tenant Using the VAST CLI

To create a tenant from the VAST CLI, use the tenant create command.

Related articles

Comments

0 comments

Article is closed for comments.