Creating Views

Each view is attached to a view policy which governs some of the configuration of the view. A view policy can be reused.

If there is no view policy with the configuration that you need for a particular view, you need to create a suitable view policy first. See Creating View Policies for instructions.

Creating a View via VAST Web UI

In the VAST Web UI, select Element Store from the left navigation menu and then select Views.
Click Create View to add a new view.
The Add View dialog appears.

In the General tab, complete the following fields:

Tenant	Select a tenant from the dropdown. Note This field is displayed only if the cluster has more than one tenant.
Path	Enter the full path from the top level of the storage system on the cluster to the location that you want to expose. The directory may exist already, such as if it was created by a client inside a mounted parent directory. It could also be a path to a new directory which you'll create now. (See Create new directory for the view.) If you are going to use the path to create an S3 bucket, ensure that none of the subdirectories under the path has a replication protected path defined on it. Note If the path is an encrypted path, the path must be created as an encrypted path before you create the view.
Protocols	Select one or more protocols you want the view to be accessible from. The options are: NFSv3 exposes the view as an NFS export to clients using NFS version 3. NFSv4 exposes the view as an NFS export to clients using NFS version 4.1 or 4.2. SMB exposes the view as an SMB share to SMB clients. Block exposes the view as a Block storage subsystem. You cannot enable any other protocols together with Block. S3 Bucket exposes the view as an S3 bucket. S3 Endpoint creates a template for creating buckets via S3 APIs. Whenever a bucket is created using this endpoint, a new view is created under the specified path. See Managing S3 Request-Initiated Bucket Creation for more information about S3 Endpoint buckets. You can enable NFSv3 and/or NFSv4 together with S3 Endpoint. In this case, the view path is exported for NFS access while multiple S3 buckets may also be created under the view path. This option is supported on the default tenant only. Database exposes tabular data to database query engines. This value is used for each view that VAST Cluster creates when a user chooses to create a database on the cluster. For more information, see Configuring the VAST Cluster for Database Access. Kafka exposes VAST Database tables that are used as topics to publish and consume events. For more information, see Publishing Events to VAST Event Broker. When you select Kafka, the Database and S3 Bucket protocols are also automatically enabled.
SMB share name	If you selected SMB in the Protocols dropdown, enter a name for the SMB share in the SMB share name field. This setting is required for SMB. The SMB share name cannot include the following characters: /\:\|<>*?" An SMB share name must be unique within the tenant.
NFS alias	If you selected NFSv3 in the Protocols dropdown to enable NFSv3 access, you can use the NFS alias field to optionally specify an alias for the mount path of the NFSv3 export. An alias must begin with a forward slash ("/") and must consist of only ASCII characters. An NFS export alias must be unique within the tenant.
S3 bucket name	If you selected S3 Bucket in the Protocols dropdown, enter a name for the bucket in the S3 Bucket Name field. This setting is required for S3 buckets. A bucket name must be unique across all tenants of the cluster. For more guidelines on bucket naming, see Overview of VAST Cluster S3 Implementation.
Policy name	Specify a view policy that has the configuration you want to use for the view. Select an existing view policy from the dropdown, or click Add new Policy to create a new one and follow the procedure described in Creating View Policies. Creating View Policies
QoS policy	Specify a QoS policy to be associated with the view.Quality of Service Select an existing QoS policy from the dropdown, or click Add New Policy to create a new one and follow the procedure described in Creating a QoS Policy).Creating a QoS Policy
Create new directory for the view	If the directory does not already exist in the file system, toggle this option on to create the directory. Note When creating a view on an encrypted path, do not check this box. The path is created when you create the encrypted path, before you create the view.
Inherit parent ACL	If selected, the newly created directory will inherit the ACL of the parent directory. If not selected, and also in case the parent directory does not have an inherited ACL, the newly created directory will be assigned an ACL granting POSIX 777 permissions.

If the Policy name field was set to a view policy that enforces the S3 Native security flavor, choose one of the object ownership modes in the ACLs pane:
- ACLs enabled (default). The user which uploads the object, becomes the object owner. Access is authorized based on ACLs and identity or bucket policies.
- ACLs disabled. The bucket owner has full control over any object in the bucket. Access to objects is authorized based on identity and bucket policies. ACLs are not used, neither for S3 nor for other access protocols.
Note
For more information about these modes, see S3 Object Ownership.S3 Object Ownership

If you selected S3 Bucket or S3 Endpoint in the Protocols dropdown, go to the S3 tab and set the relevant settings:

For S3 Bucket:

Under General:
User or IAM Role	Specifies whether the bucket owner is a user or a IAM role.
Bucket Owner	Specify a user to be the bucket owner. This setting is required for S3 buckets.
Under S3 Access Control:
Anonymous access	Allows anonymous S3 access to the bucket. If enabled, anonymous requests are allowed, provided that the object ACL grants access to the All Users group (for S3 Native security flavor) or the permission mode bits on the requested file and directory path grant access permission to others (for NFS security flavor). For views with SMB security flavor, anonymous requests are not allowed.
Under Versioning:
S3 Versioning	Enables S3 Object Versioning on the bucket. Versioning cannot be disabled after the view is created. Note This setting must be enabled if S3 Object Locking is enabled, so it is automatically toggled on when you enable S3 Object Lock.
Under Indestructible Object Mode: Note This section only appears if indestructible object mode is enabled on the cluster.
Enable indestructible object mode	Slide to the right to enable the feature on the view. Restrictions apply. See Indestructible Object Mode for full feature details.
Default Retention Period	To set the retention period to anything other than the default 8 days, enter the number of days in the field. You can set any number of days from 1 to 400. Note You will not be able to change this retention period after view creation without first unlocking the cluster's indestructibility mechanism, which requires a secure authentication procedure.

For S3 Endpoint:

Under S3 Access Control:
Bucket Creators (Users)	List bucket users by user name. Any request to create an S3 bucket that is sent by S3 API by a user listed here will use the S3 Endpoint view that you are configuring. Users should not be specified as bucket creators in more than one S3 Endpoint view. Naming a user as a bucket creator in two S3 Endpoint views will fail the creation of the view with an error.
Bucket Creators (Groups)	List user groups by group name. Any request to create an S3 bucket that is sent by S3 API by a user who belongs to a group listed here will use the S3 Endpoint view that you are configuring. Caution Take extra care not to duplicate bucket creators through groups. If you specify a group as a bucket creator group in one view and you also specify a user who belongs to that group as a bucket creator user in another view, view creation will not fail. Yet, there is a conflict between the two configurations and the selection of a view for configuring the user's buckets is not predictable.
Anonymous access	Allows anonymous S3 access to the bucket. If enabled, anonymous requests are allowed, provided that the object ACL grants access to the All Users group (for S3 Native security flavor) or the permission mode bits on the requested file and directory path grant access permission to others (for NFS security flavor). For views with SMB security flavor, anonymous requests are not allowed.

If you selected S3 Bucket in the Protocols dropdown and the view has been attached a view policy with S3 Native security flavor, optionally go to the Bucket Notifications tab to configure S3 event notifications for this view.
To define an event notification for the bucket:
1. Click Create New Notification.
2. Enter a unique name for the new event notification in the Event Name field.
3. Under Trigger, specify one or more S3 events for which you want to send notifications, or use the wildcard '*' to select all events, under each of the event categories: Object Creation , Object Tagging or Object Removal.
  Note
  See Event Publishing for an explanation of S3 events.
4. Under Filter, optionally specify Prefix and/or Suffix to include only those events that have an S3 object key prefix or suffix that matches the corresponding filter string.
5. Under Notifications:
  - In the Broker field, specify the event broker to which to send event notifications. This can be a VAST Event Broker view, or a third-party event broker.
  - In the Topic field, enter a topic to which to publish the events.
6. Click Add Notification.
  The newly created notification definition will be listed in the Bucket Notifications tab.

If you selected S3 Bucket in the Protocols dropdown, optionally go to the Bucket Logging tab and make the relevant settings:

Enable bucket logging	Toggle on to enable S3 bucket logging for the bucket. By default, logging is disabled.
Destination bucket	Select a bucket to store the logs.
Prefix	Optionally, specify a prefix that will be prepended to each key of a log object uploaded to the destination bucket. This prefix can be used to categorize log objects; for example, if you use the same destination bucket for multiple source buckets. The prefix can be up to 128 characters and must follow S3 object naming rules.
Key format	Select the format for the log object keys: Non-date-based partitioning This is the default format: [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] Date-based partitioning This format enables timestamp-based partitioning of log objects: [DestinationPrefix][SourceUsername]/[SourceBucket]/ [YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] If you choose this format, you can use the Timestamp field to determine which time to use for the log object key: the time when the log object has been delivered to the destination bucket, or the time when the logged events occurred. In the formats: `[DestinationPrefix]` is the optional prefix that prepends keys of log objects uploaded to the destination bucket. You define this prefix in the Prefix field. `[SourceUsername]` is the username for the owner of the bucket being logged. `[SourceBucket]` is the bucket being logged. UTC time is used in timestamps. `[UniqueString]` is a unique string added to prevent overwriting of objects.
Timestamp	If you specified the Key format that enables date-based partitioning of log objects, select the type of timestamp to be used when generating log object keys: S3 event time. The timestamp shows the time when the logged events occurred. Log object delivery time. The timestamp shows the time when the log object has been delivered to the destination bucket.

If you selected SMB in the Protocols dropdown, you can optionally configure a share-level ACL:
1. Go to the SMB -> Share-level ACL tab.
2. Toggle Enable Share-level ACL on to enable share-level ACL on the view.
  When enabled, SMB requests to access the view will fail unless permission is granted to the requesting user by an ACE configured in this dialog.
  When disabled, the default share-level ACL applies to the view.
  Tip
  The default share-level ACL grants Full Control permissions to the Everyone group by default. You can alter this setting on the General tab of the Tenant dialog (choose Element Store -> Tenants -> choose to edit a tenant).
3. Add share-level ACEs:
  1. Under Search, query a user or group that you want to define an ACE for:
    Select a specific Active Directory domain or all domains from the Domain dropdown.
    Select the Grantee type (user or group) that you want to search for.
    In the Name field, specify the name of the grantee:
    For a grantee from the cluster's joined domain, enter the name without the domain name suffix.
    For a grantee from domains in other trusted forests, enter the name followed by the domain name suffix: <grantee name>@<domain name>.
  2. Click + Add ACE. The grantee's type and name displayed in the ACL grid.
  3. In the Permission column of the ACL grid, select the permission type that you want to grant to the grantee.
  4. Repeat steps c1 to c3 until you have created all the ACEs that you want to configure.
If you selected SMB in the Protocols dropdown, for views of a tenant that has SMB encryption enabled, you can optionally configure the view with SMB encryption protection that is equal to or stronger than that of the tenant.
1. Go to the SMB -> Encryption tab.
  Note
  This tab is shown only when the tenant has SMB encryption enabled.
2. Under Protection Activation Policy, select one of the available protection levels:
  - Available (low) - Encryption is used only for SMB clients which have requested it explicitly. For clients that do not support encryption, access is allowed but no encryption is used.
  - Desired (medium) - The cluster uses encryption for any SMB client that supports encryption. For clients that do not support encryption, access is allowed but no encryption is used.
  - Required (high) - SMB clients that do not support encryption are denied access.

If you selected Block in the Protocols dropdown, go to the Block tab and complete the fields:

Name

Enter a name for the subsystem. The name is incorporated into the generated subsystem NQN.

Subsystem NQN

This field is read-only. The value is generated after the name is defined.

It is the NVMe Qualified Name (NQN), a unique identifier, incorporating the subsystem name, used to identify the view as a remote NVMe storage target for block clients.

You can use this field to retrieve the subsystem NQN for connection from the client.

Define as the default view (subsystem)

Enable this option if you want to set the view to be the default subsystem view. The default subsystem view is used as a default if a block volume is created by VMS REST API without a view being specified.

If you selected Kafka in the Protocols dropdown, go to the Kafka tab to configure Kafka-related settings:
- Select a virtual IP pool in the VIP Pool field. This virtual IP pool will be used to access event topics.
  The pool must belong to the same VAST tenant as the Kafka-enabled view.
  If the view is associated with a view policy that includes virtual IP pools, the pool specified as the Kafka pool must be one of the view policy pools.
- Under Authentication Methods:
  - To authenticate clients on encrypted connections, select Encrypted connections and then select Require SASL plain authentication.
    Note that this option requires a Kafka TLS certificate to be provided for the VAST cluster.
  - To authenticate clients on non-encrypted connections, select Unencrypted connections and then select Require SASL plain authentication.
  - To enable authorization, toggle the Enable authorization option on.
If the view is to be used as WORM storage, set these fields in the WORM/S3 Object Lock tab:
1. Toggle Enable write once read many (WORM) on.
  Note
  This step is irreversible. Once WORM is enabled in a view, it cannot subsequently be disabled.
2. Select the File Retention Mode (for NFS and SMB) or S3 Retention Mode (for S3) for the view:
  - Governance. In this mode, locked files cannot be deleted or changed. The Retention settings can be shortened or extended by users with sufficient permissions
  - Compliance. In this mode, locked files cannot be deleted or changed. Retention settings can be extended, but not shortened, by users with sufficient permissions.
  - None. (S3 only). The retention mode is not set for the view; it is set individually for each object.
3. Configure the retention settings for the view as follows:
  - Default retention period. This is the period of time a file or object will be locked, if locking is done automatically (Auto-commit is set). It must be in the range Minimum retention period and Maximum retention period. Set it as minutes (m), hours (h), days (d), or years (y). Example: 4m.
  - Minimum retention period. The minimum retention period for a file or object, once it is locked, in minutes (m), hours (h), days (d), or years (y). This applies both to files locked automatically and to files locked manually.
  - Maximum retention period. The maximum retention period for a file or object, once it is locked, in minutes (m), hours (h), days (d), or years (y). This applies both to files locked automatically and to files locked manually.
  - Auto-commit period (NFS and SMB only). If set to a non-zero value, files will automatically be locked after the Default Retention Period elapses since from the time the file is saved. If this is set, you do not have to manually set the file to Read-Only to lock them (see Write Once Read Many (WORM) Views). Set it as minutes (m), hours (h), days (d), or years (y). Example: 4m.Write Once Read Many (WORM) Views
In the Global Synchronization tab, optionally enable Enable global synchronization. This setting synchronizes file handles between the view and views on replication peers in a replication group that each point to the replicated path. It enables NFSv3 client users to retain the same mount point to the view in the event of a failover of the view path to a replication peer. Enabling global synchronization may cause overhead and should only be done when the use case is relevant.
When you enable this setting, the Global Synchronization tab shows the synchronization status of views on remote replication peers. If replication is not configured on the view path or on any path under the view, the tab displays No synced views. If replication is configured on the view path or on any path(s) under the view, the following details are displayed per replication peer:
- Path. A path under the view that is replicated to a remote path.
- Cluster name. The cluster on which the remote path resides.
- Peer name. The name of the replication peer.
- Sync status. Synced means there is a view on the remote path, it is enabled for global synchronization and it is synced with the view. Error means that there is no view on the remote path yet, or there is view on the remote path, but it does not have global synchronization enabled. In order to complete the global synchronization configuration, you will need to create a new view and enable global synchronization when you create it.
For more information about global synchronization, see Preparing for Seamless Replication Failover (NFSv3).
If you selected SMB in the Protocols dropdown in the General tab, you can optionally configure Access-Based Enumeration (ABE):
1. Go to the ABE tab.
  Note
  This tab is available for SMB-enabled views only.
2. To enable ABE for the view, select SMB in the Protocols dropdown in the ABE tab.
3. Optionally, set the maximum directory level (depth) at which ABE is enabled in the Max depth field. If left empty, ABE depth is unlimited.
If you are going to use Attribute-Based Access Control (ABAC) for NFSv4, SMB or S3 operations, go to the Attribute-Based Access Control tab and enter a comma-separated list of ABAC attributes in the Attribute field.
Up to 20 ABAC tags can be defined per view. ABAC tags are case-sensitive and can include alphanumeric characters, a hyphen (-), a colon (:), a plus sign (+), and an underline (_).
For example: red,green,yellow
If you are going to use user impersonation, go to the User impersonation tab and proceed as follows:
1. Toggle the Enable user impersonation option on.
2. In the Select User field that becomes available after you enabled user impersonation, select the impersonator (the user account to be used instead of the original user).
Click Create.
The view is now created and can be accessed via all the protocols you enabled. You can see it displayed in the Views tab.

Creating a View via VAST CLI

Use the view create command to create the view.

Note
Share-level ACLs can be added via CLI only using the view modify command after creating the view.