Creating Tenants

Creating a Tenant in VAST Web UI

From the left navigation menu, select Element Store and then Tenants.
Click Create Tenant to open the Create New Tenant dialog.

In the General tab, complete the fields:

Tenant name

Enter a name for the tenant.

Domain

The domain name for the tenant.

The domain name is used to build the cluster's VMS login URL for the tenant, as shown in the preview below: https://<VMS IP>/#/login/<domain name>.

If a domain name is not specified, the tenant name is used instead: https://<VMS IP>/#/login/<tenant name>.

Note
The domain name is case-insensitive.

In the Providers And User Access tab:
- Under Set Providers, specify which authentication and authorization providers the tenant will use. You can choose a local provider under VAST Providers, and also select one or more third-party providers configured on the cluster, one per category: Active Directory, LDAP and NIS.
  For provider selection guidelines and restrictions, see Authorization Providers in VAST Cluster.Authorization Providers in VAST Cluster
- Under User Access Management:
  - In the Source IP Address for Tenant Admin to VMS pane, configure IP addresses from which the tenant admin is allowed to log in to the VMS:
    Allow all IPs to access. The tenant admin can log in to the VMS from any IP address.
    Define specific IPs. The tenant admin can log in to the VMS from specific IP addresses only.
    After you selected this option, a pane appears for you to add and manage allowed IP addresses. Enter the allowed IP address(es) in the IP address field and click Add to Table.
    Tip
    To add additional tenant admins to the tenant, complete this procedure to create a new tenant. Then, follow the steps in Adding Managers to add manager users of the type Tenant Admin.
  - In the Who Can Access This Tenant (Data Engine) pane, select a user group which is allowed to access the tenant's Data Engine on the cluster. The group must exist on the provider.
In the IP Addresses for Client Data Access tab, configure ranges of IP addresses that tenant users will use to access the data on the cluster.
Enter Start IP and End IP addresses, and then click Add to Table to add the IP range to the table. Repeat for additional ranges.

In the Advanced Protocol Settings tab, set the following options:

Under Common Settings:
- Set the Create default view policies flag to automatically create a default view policy for S3 buckets being created via the S3 API. The default policy can be later overridden by creating S3 endpoint views.
Under Max Number of Views:
- Unlimited - Select this option to allow creation of an unlimited number of views on the tenant.
- Set Manually - Select this option to enter the maximum allowed number of views in the field provided (up to the maximum number of views in the cluster).
Under NFS settings:
- Enable Unrequested NFSv4 File Delegations by Default - If toggled on, the cluster grants allowed NFSv4 file delegations even when the client does not explicitly request a delegation.
- Enable Secured labels (NFSv4.2) - Enables the use of security labels for NFSv4.2.
- Enable Trash folder - Enables NFS trash folder and allows members of a user group to move files to the trash folder. After toggling this option on, enter the GID of the user group in the Trash folder GID field.
- Under NFS File Delegations, select Enable read delegations and/or Enable write delegations to configure the cluster so that it grants read and/or write delegations to the NFS clients. For more information about handling NFSv4 file delegations, see NFSv4 File Delegations.

Under SMB Settings:

Use native authentication

When enabled, VAST Cluster authorizes client access by using user and group information supplied via Kerberos or NTLM authentication, rather than by querying that user in Active Directory. For more information, see Authentication for SMB Access. By default, this option is disabled.Authentication for SMB Access

Note
After you disable use of Kerberos/NTLM Authentication to authorize users from non-trusting domains, users that previously had access, would still have access although the feature is now disabled.

Require SMB signing

When enabled, SMB signing is mandatory for the clients accessing the cluster. SMB requests with a missing or invalid signature are not accepted.

Default share-level ACL

Optionally set the default 'Everyone' Group share-level permission for the tenant. This default permission affects all views associated with the tenant where share-level ACLs are disabled.

For more information about share-level ACLs , see Share-Level ACLs.Share-Level ACLs

Possible values:

Full control (Default). Includes Change permission and permission to change file owners and Windows ACLs.
Read. Permission for Read operations only.
Change. Includes Read permission and permission to change files, create files, create directories, and to delete files and directories.
Note
Change permission does not include permission to modify file attributes or ACLs.

Under SMB Encryption, determine if and when the cluster uses encryption of in-flight data on SMB access:
- To enable SMB encryption for the tenant, toggle Enable encryption on and select one of the following:
  - Available - Encryption is used only for SMB clients which have requested it explicitly. For clients that do not support encryption, access is allowed but no encryption is used.
  - Desired - The cluster uses encryption for any SMB client that supports encryption. For clients that do not support encryption, access is allowed but no encryption is used.
  - Required - SMB clients that do not support encryption are denied access.

In the Tenant Limitation tab, optionally set capacity and performance limits for the tenant.
Note
With VAST Cluster 5.4, block protocol operations are not subject to tenant limitations.
- Under Capacity Rules:
  - Toggle the Enable capacity rules option on to set limits on the tenant storage capacity. Enter the soft and hard limits as follows:
    Under Add soft limit and/or Add hard limit, enter the maximum allowed used capacity for the tenant and select the unit of measure for it.
    In the Number of files and directories field, specify the maximum allowed number of files and directories for the tenant.
    In the Grace period field, enter a period of time after which the hard limits are enforced.
- Under Performance Rules:
  - Toggle the Enable performance rules option on to set limits on the tenant bandwidth. Enter the limits as follows:
    Under Static Limits, specify the static limits.
    Tip
    For an explanation of different types of limits, see QoS Overview.
    For each of the limits , '0' means no limit is set.
    Select an appropriate unit of measurement in the Units field.
    To restrict the bandwidth, fill in the fields following the BW column:
    Max. The maximum allowed bandwidth.
    Burst. The maximum burst bandwidth that can be provided while there are accumulated bandwidth credits.
    Credit. The maximum amount of bandwidth credits that can be accumulated.
    To restrict the amount of IOPS, fill in the fields following the IOPS column:
    Max. The maximum allowed IOPS.
    Burst. The maximum burst IOPS that can be provided while there are accumulated IOPS credits.
    Credit. The maximum amount of IOPS credits that can be accumulated.
Click Create. The tenant is created and appears in the list of tenants in the Tenants page.

Creating a Tenant in VAST CLI

To create a tenant from the VAST CLI, run the tenant create command.