Tenant Commands
The following commands assume that the cluster is Kerberized and Ranger enabled.
After setting up the S3 Multi-Tenancy feature, you can create and list tenants, assign users to tenants and also assign admin privileges, revoke admin access or even delete a tenant, and so on.
Creating a tenant
To create a new tenant in the Ozone cluster, you must have cluster admin privileges defined in ozone.administrators configuration. When you create a tenant, a volume with the same name is created. However, tenant name and volume name must be the same and tenant volume cannot be changed after the tenant is created.
To create a new tenant, run ozone tenant [--verbose] create <TENANT_NAME>
Listing a tenant
To list all tenants in an Ozone cluster, run ozone tenant list [--json]
Assiging a user to a tenant
Only an Ozone cluster administrator can assign the first user to a tenant. After the first user gets admin privileges, the first user can create and assign new users. A user can be assigned multiple tenants.
To assign a user to a tenant, run ozone tenant [--verbose] user assign <USER_NAME> --tenant=<TENANT_NAME>
Assigning a user as a tenant admin
Only an Ozone cluster administrator can assign the first user to a tenant along with access key ID/secret pair. After the first user gets admin privileges, the first user can create and assign new users. A user can be assigned multiple tenants.
Both delegated and non-delegated tenant admins can assign and revoke tenant users from their tenant. However, only a delegated admin can assign and revoke the tenant admins from a tenant.
You can be a tenant admin in multiple tenants. However, you will be assigned different access IDs under each tenant.
To assign a user as a tenant admin, the current logged-in user must have Ozone cluster administrator or tenant delegated administrator privilege, run ozone tenant user assignadmin <ACCESS_ID> [-d|--delegated] --tenant=<TENANT_NAME>
Listing users in a tenant
To list users in a tenant, run ozone tenant user list [--json] <TENANT_NAME>
Getting tenant user info
To get tenant user’s information, run ozone tenant user info [--json] <USER_NAME>
Revoking a tenant admin
To revoke a tenant admin, run ozone tenant [--verbose] user revokeadmin <ACCESS_ID>
Revoking user access from a tenant
To revoke the user access from a tenant, run ozone tenant [--verbose] user revoke <ACCESS_ID>
Deleting a tenant
The tenant must be empty and all admin user access revoked before deleting a tenant. This is a safety design to ensure that even if a tenant is deleted, the volume created for the tenant is intact.