Tenant Commands

The following commands assume that the cluster is Kerberized and Ranger enabled.

After setting up the S3 Multi-Tenancy feature, you can create and list tenants, assign users to tenants and also assign admin privileges, revoke admin access or even delete a tenant, and so on.

Creating a tenant

To create a new tenant in the Ozone cluster, you must have cluster admin privileges defined in ozone.administrators configuration. When you create a tenant, a volume with the same name is created. However, tenant name and volume name must be the same and tenant volume cannot be changed after the tenant is created.

To create a new tenant, run ozone tenant [--verbose] create <TENANT_NAME>

Listing a tenant

To list all tenants in an Ozone cluster, run ozone tenant list [--json]

Assiging a user to a tenant

Only an Ozone cluster administrator can assign the first user to a tenant. After the first user gets admin privileges, the first user can create and assign new users. A user can be assigned multiple tenants.

To assign a user to a tenant, run ozone tenant [--verbose] user assign <USER_NAME> --tenant=<TENANT_NAME>

Assigning a user as a tenant admin

Only an Ozone cluster administrator can assign the first user to a tenant along with access key ID/secret pair. After the first user gets admin privileges, the first user can create and assign new users. A user can be assigned multiple tenants.

Both delegated and non-delegated tenant admins can assign and revoke tenant users from their tenant. However, only a delegated admin can assign and revoke the tenant admins from a tenant.

You can be a tenant admin in multiple tenants. However, you will be assigned different access IDs under each tenant.

To assign a user as a tenant admin, the current logged-in user must have Ozone cluster administrator or tenant delegated administrator privilege, run ozone tenant user assignadmin <ACCESS_ID> [-d|--delegated] --tenant=<TENANT_NAME>

Listing users in a tenant

To list users in a tenant, run ozone tenant user list [--json] <TENANT_NAME>

Getting tenant user info

To get tenant user’s information, run ozone tenant user info [--json] <USER_NAME>

Revoking a tenant admin

To revoke a tenant admin, run ozone tenant [--verbose] user revokeadmin <ACCESS_ID>

Revoking user access from a tenant

To revoke the user access from a tenant, run ozone tenant [--verbose] user revoke <ACCESS_ID>

Deleting a tenant

The tenant must be empty and all admin user access revoked before deleting a tenant. This is a safety design to ensure that even if a tenant is deleted, the volume created for the tenant is intact.

To delete a tenant, run ozone tenant [--verbose] delete <TENANT_NAME>