tenant create

This command creates a tenant.

Usage

tenant create --name NAME
             [--enable-privileged-domain-user-restore-access]|[--disable-privileged-domain-user-restore-access]
             [--enable-privileged-domain-group-backup-access]|[--disable-privileged-domain-group-backup-access]
             [--enable-privileged-domain-group-restore-access]|[--disable-privileged-domain-group-restore-access]
             [--privileged-domain-user-logon-name]
             [--privileged-domain-group-sid SID]
             [--local-administrators-group-name NAME]
             [--default-others-share-level-perm FULL|READ|CHANGE]
             [--encryption-group ENCRYPTION_GROUP]
             [--trash-gid TRASH_GID]
             [--client-ip-ranges IP_RANGES]
             [--posix-primary-provider AD|LDAP|NIS]
             [--login-name-primary-provider AD|LDAP|NIS]
             [--ad-provider-id ID]
             [--ldap-provider-id ID]
             [--nis-provider-id ID]
             [--enable-use-smb-native|--disable-use-smb-native]
             [--enable-require-smb-signing|--disable-require-smb-signing]
             [--allow-disabled-users]|[--prohibit-disabled-users]
             [--allow-locked-users]|[--prohibit-locked-users]
             [--enable-nfs-v4.2]|[--disable-nfs-v4.2]
             [--local-provider-id ID]
             [--preferred-owning-group PROTOCOL_BASED|POSIX_GID]
             [--allowed-delegations READ|WRITE|READ_WRITE|NONE]
             [--enable-grant-unrequested-delegations-by-default|--disable-grant-unrequested-delegations-by-default]
             [--smb-encryption-state OFF|AVAILABLE|DESIRED|REQUIRED]
             [--max-views MAX]
             [--capacity-rules CAPACITY_RULES]
             [--static-limits STATIC_LIMITS]

Required Parameters

--name NAME

Specifies a name for the tenant.

Options

`--enable-privileged-domain-user-restore-access`	Enables the privileged SMB user.
`--disable-privileged-domain-user-restore-access`	Disables the privileged SMB user.
`--enable-privileged-domain-group-backup-access`	Enables the privileged SMB group.
`--disable-privileged-domain-group-backup-access`	Disables the privileged SMB group.
`--enable-privileged-domain-group-restore-access`	Enables read and write control access for the privileged SMB user group. Members of the group can perform backup and restore operations on all files and directories, without requiring read or write access to the specific files and directories.
`--disable-privileged-domain-group-restore-access`	Disables write control access for the SMB privileged user group. If enabled (see `--enable-privileged-domain-group-backup-access`), the group has read control access. Members of the group can perform backup operations on all files and directories without requiring read access to the specific files and directories. They cannot perform restore operations without write access to the specific files and directories.
`--privileged-domain-user-logon-name PRIVILEGED_USER_NAME`	An optional custom user name for the SMB or NFSv4.1 privileged user. If not set, the user name is 'vastadmin' in the cluster's joined domain.
`--privileged-domain-group-sid PRIVILEGED_DOMAIN_GROUP_SID`	Specify a custom group SID in order to have a working SMB or NFSv4.1 privileged group with backup operator privileges. If not set, the SMB privileged group is set to the Backup Operators domain group (S-1-5-32-551), which, due to a known issue, does not receive backup operator privileges.
`--local-administrators-group-name GROUP_NAME`	Specify a custom name for the privileged SMB group. If not specified, the privileged SMB group name is Backup Operators.
`--default-others-share-level-perm FULL\|READ\|CHANGE`	Sets the default 'Everyone' Group SMB share-level permission for the tenant. This default permission affects all views in which share-level ACL is disabled. For more information about SMB share-level permissions, see Share-Level ACLs. Share-Level ACLs Possible values: `FULL` (default). Grants all SMB users full control share-level access to views that have Share-level ACL disabled. `READ`. Grants all SMB users read share-level access to views that have Share-level ACL disabled. `CHANGE`. Grants all SMB users change share-level access to views that have Share-level ACL disabled.
`--encryption-group ENCRYPTION_GROUP`	If encryption is enabled on the cluster with external key management (EKM), enter a string identifier for the tenant's encryption group for encryption group management. You can optionally provide the same group for more than one tenant if you want to join multiple tenants to the same encryption group on the EKM. Tenants that belong to the same group will be managed by the same encryption key. Supply the group's Cloud Resource Name (CRN) identifier as `ENCRYPTION_GROUP`. Valid format: string, up to 128 characters An encryption group is required for tenant creation if EKM encryption is enabled. The encryption group cannot be changed after creating the tenant. For more information about EKM encryption, see Encryption of Data at Rest.Encryption of Data at Rest
`--trash-gid TRASH_GID`	If you want to allow access to the trash folder for non-root NFSv3 users serviced by the tenant, specify this option and provide the GID of the user group that you want to use for this purpose as `TRASH_GID`. Users which belong to this group will have permission to move files into the trash folder. By default, the operation of moving files into the trash folder is supported for the root user only.
`--client-ip-ranges IP_RANGES`	Specifies an array of ranges of client IPs to be served by the tenant. Specify `IP_RANGES` as an array where ranges are separated by spaces and the start and end IP of each range is separated by a comma. For example: `10.10.10.2,10.10.10.4 2022:3::69:1337:420:8153,2022:3::69:1337:420:8200` See Overview of Tenants for more information about dedicating virtual IP pools to tenants and associating client IPs to a tenant.Overview of Tenants
`--posix-primary-provider AD\|LDAP\|NIS`	Specifies one provider to take precedence over other providers in case of any conflicts between attribute values when user information is retrieved from the providers. Applicable if more than one provider is enabled (see `--ad-provider-id`, `--ldap-provider-id`, `nis-provider-id`).
`--login-name-primary-provider AD\|LDAP\|NIS`	Determines which authorization provider is the primary provider for the user’s login name. Applicable if more than one provider is enabled (see `--ad-provider-id`, `--ldap-provider-id`, `nis-provider-id`).
`--ad-provider-id ID`	Select which external authorization providers should be enabled for the tenant. Providers configured on the cluster are available for you to select up to one of each type (Active Directory, LDAP and NIS), subject to combination restrictions per tenant described in Authorization Providers in VAST Cluster. Authorization Providers in VAST Cluster Providers configured on the cluster are available for you to select up to one of each type (Active Directory, LDAP and NIS), subject to combination restrictions per tenant described in
`--ldap-provider-id ID`	Specify up to one LDAP server configuration by its ID in order to enable it for the tenant. Providers configured on the cluster are available for you to select up to one of each type (Active Directory, LDAP and NIS), subject to combination restrictions per tenant described in Authorization Providers in VAST Cluster. Authorization Providers in VAST Cluster
`--nis-provider-id ID`	Specify up to one NIS configuration by its ID in order to enable it for the tenant. Providers configured on the cluster are available for you to select up to one of each type (Active Directory, LDAP and NIS), subject to combination restrictions per tenant described in Authorization Providers in VAST Cluster. Authorization Providers in VAST Cluster
`--enable-use-smb-native`	When this option is specified, VAST Cluster authorizes client access by using user and group information supplied via Kerberos or NTLM authentication, rather than by querying that user in Active Directory. For more information, see Authentication for SMB Access.Authentication for SMB Access
`--disable-use-smb-native`	Disables use of Kerberos or NTLM authentication to authorize SMB client access. This is the default setting. Note After you disable use of Kerberos/NTLM Authentication to authorize users from non-trusting domains, users that previously had access, would still have access although the feature is now disabled.
`--enable-require-smb-signing`	When specified, SMB clients are required to sign SMB requests. SMB requests with missing or invalid signatures are not accepted.
`--disable-require-smb-signing`	When specified, SMB clients are not required to sign SMB requests.
`--allow-disabled-users`	Allows IO to be performed on the cluster by users whose accounts are disabled in Active Directory. By default, if the user's account is disabled in Active Directory by an administrator, the user is blocked from performing IO on the cluster. This setting overrides the default behavior.
`--prohibit-disabled-users`	Restores default behavior, where users whose accounts are disabled in Active Directory are blocked from performing IO on the cluster.
`--allow-locked-users`	Allows IO to be performed on the cluster by users whose accounts are automatically locked out in Active Directory by account lockout policies. Active Directory account lockout policies determine when and for how long users are automatically locked out after invalid login attempts. By default, if the user's account is locked out by Active Directory lockout policies, the user is blocked from performing IO on the cluster. This setting overrides the default behavior.
`--prohibit-locked-users`	Restores default behavior, where users whose accounts are locked out by Active Directory lockout policies are blocked from performing IO on the cluster.
`--enable-nfs-v4.2`	Enables support of NFS version 4.2 for this tenant. Tip Specify this option if you want to let your clients use the NFSv4.2 Security Labels capability.NFSv4.2 Security Labels
`--disable-nfs-v4.2`	Disables support of NFS version 4.2 for this tenant.
`--local-provider-id ID`	Specifies a local provider with which the tenant is associated. If not specified, the default tenant is used.
`--preferred-owning-group PROTOCOL_BASED\|POSIX_GID`	Controls the way VAST Cluster sets the owning group when creating files on a view controlled with the SMB and Mixed Last Wins security flavor: `PROTOCOL_BASED` (default): The owning group is determined based on the access protocol: For SMB, the `primaryGroupID` of the user For NFS, the POSIX GID of the user `POSIX_GID`: The owning group is determined based on the POSIX GID of the user.
`--smb-encryption-state OFF\|AVAILABLE\|DESIRED\|REQUIRED`	Enables/disables SMB encryption for the tenant, and also sets the encryption protection level: `OFF`: SMB encryption is disabled. `AVAILABLE`: Encryption is used only for SMB clients which have requested it explicitly. For clients that do not support encryption, access is allowed but no encryption is used. `DESIRED`: The cluster uses encryption for any SMB client that supports encryption. For clients that do not support encryption, access is allowed but no encryption is used. `REQUIRED`: SMB clients that do not support encryption are denied access.
`--max-views MAX`	Set the maximum number of views the tenant can have to MAX. A value of 0 indicates unlimited views. Default: 0.

NFSv4 File Delegation Options

--allowed-delegations READ|WRITE|READ_WRITE|NONE

Enables NFSv4 file delegations for the tenant and specifies the type of NFSv4 file delegations that the cluster can grant to a client opening a file: read, write, or both. A value of NONE (default) disables NFSv4 file delegations.

Valid values: READ, WRITE, READ_WRITE, NONE.

--enable-grant-unrequested-delegations-by-default

If specified, the cluster grants the allowed delegations even when the client does not explicitly request a delegation. This is the default behavior.

--disable-grant-unrequested-delegations-by-default

If specified, the cluster does not grant the allowed delegations to clients that do not explicitly request a delegation.

Capacity and Performance Limits (QoS)

Note
With VAST Cluster 5.4, block protocol operations are not subject to tenant's capacity and performance limitations.

--capacity-rules CAPACITY_RULES

Enables and sets capacity limits for the tenant.

Specify CAPACITY_LIMITS as a comma-separated list of key=value pairs, where the following keys can be used:

soft_limit. A soft limit for the maximum allowed used capacity (GB).
hard_limit. A hard limit for the maximum allowed used capacity (GB).

For example:

soft_limit=1024,hard_limit=2048

--static-limits STATIC_LIMITS

Enables and sets static performance limits for the tenant.

Specify STATIC_LIMITS as a comma-separated list of key=value pairs.

max_reads_bw_mbps. Maximum read bandwidth to provision, in MB/s.
max_reads_iops. Maximum read IOPS to provision.
max_writes_bw_mbps. Maximum write bandwidth to provision, in MB/s.
max_writes_iops. Maximum write IOPS to provision.
burst_reads_bw_mb. Burst bandwidth for read operations, in MB/s.
burst_reads_iops. Burst IOPS for read operations.
burst_reads_loan_mb. Maximum credit bandwidth for read operations, in MB/s.
burst_reads_loan_iops. Maximum credit IOPS for read operations.
burst_writes_bw_mb. Burst bandwidth for write operations, in MB/s.
burst_writes_iops. Burst IOPS for write operations.
burst_writes_loan_mb. Maximum credit bandwidth for write operations, in MB/s.
burst_writes_loan_iops. Maximum credit IOPS for write operations.

For example:

max_reads_bw_mbps=1024,max_writes_iops=2048

Example

vcli: admin> tenant create --name Tenant1 --client-ip-ranges 10.10.10.2,10.10.10.4 11.11.11.2,11.11.11.4
 --posix-primary-provider AD --ad-provider-id 1 --nis-provider-id 1 --localprovider 1