Multi-tenancy cluster-level administration

Overview

Multi-tenancy cluster-level administration enables cluster administrators to isolate a single cluster into independent environments, each with its own network boundaries, resource limits, and security policies. This is essential for tenants that need to share infrastructure across multiple teams or business units while maintaining strict separation between them.

At the foundation of this model is the network space, a cluster-level construct that defines a logical network boundary using a VLAN ID and an IP address range. Network spaces serve as the building blocks for tenant isolation by providing dedicated datapath endpoints.

Once network spaces are established, tenant environments can be created around them. Each tenant has its own administrator, storage quota, and assigned network spaces. A single tenant can span multiple network spaces to support use cases such as separating data traffic from management services, accommodating clients on different VLANs, and enabling redundant network paths.

Administrators control the full tenant lifecycle, creation, configuration, and removal, and can adjust resource limits, security policies, and quality-of-service (QoS) settings at any time. All tasks in this topic require the ClusterAdmin role.

Create a network space

A network space defines a cluster-level network boundary, including a VLAN ID and an IP range. After the administrator creates the network space, it can be assigned to a specific tenant to provide isolated datapath endpoints.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Network Spaces tab and select Create.

   
3. Provide network space details:

   • Network Space Name: Enter a unique name for the network space (for example, Eng_net).

   • VLAN ID: Enter the VLAN ID assigned to this network boundary (for example, 100).

4. In the IP Range section, provide the following:

   1. IP Range: Enter the starting and ending IP addresses for the network space. If the UI shows a CIDR notation option, do not use it.

   2. Netmask (Bits): Provide the subnet mask bits (for example, 24). Default: 16.

   3. Gateway: Provide an optional default gateway IP address to specify the routing exit point for traffic leaving the local network space. The gateway must be visible from all IPs in range.

1. Select Save.

CLI alternative

Use the following command to add a network space:

Parameters

Edit a network space

Cluster administrators can update the network boundaries of an existing network space, such as changing the VLAN ID or adjusting the IP address pool. While you can modify networking parameters, the network space name remains fixed.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Network Spaces tab.

3. Locate the target network space, select the Actions menu (three vertical dots), and select Edit.

   
4. Modify the network space properties as needed. For detailed information on these fields, refer to the network space creation procedure:

   • Update the VLAN ID if required.

   • Modify the IP Range as described in the creation procedure.

   • Update the Gateway or Netmask (Bits) if the subnet routing or size has changed.

5. Click Save.

CLI alternative

Use the following command to update a network space by its ID:

Parameters

Remove a network space

Removing a network space permanently deletes its configuration from the cluster. Before proceeding, ensure that the network space is no longer assigned to any active tenants.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Network Spaces tab.

3. Locate the target Network Space, select the Actions menu (three vertical dots), and select Edit.

4. In the Remove Network Space dialog, enter the exact Network Space Name to confirm the action.

   
5. Select Confirm.

CLI alternative

Parameters

Create a tenant environment

To establish a new tenant environment, the cluster administrator defines the tenant's identity, resource limits, and network boundaries. This procedure creates an isolated container where a designated tenant administrator manages their own filesystems, users, and security settings.

During creation, you can assign multiple network spaces to a single tenant. This capability allows you to:

• Separate data traffic from management services like LDAP or KMS.

• Support clients residing on different physical VLANs.

• Provide redundant network paths for high availability.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Tenants tab and select Create.

   
3. Configure the tenant properties:

   • Tenant Name: Enter a unique name for the tenant (for example, Engineering).

   • Capacity Quota: Toggle this to ON to limit the total storage capacity assigned to the tenant.

   • Total Quota: Enter the maximum capacity allowed and select the appropriate unit (for example, 300 GB).

   • Tenant Admin Username: Enter the username for the tenant administrator (for example, eng_tenant_admin).

   • Tenant Admin Password: Enter and confirm a secure password for the tenant administrator.

   • Network Spaces: Select one or more predefined network spaces from the dropdown menu to assign them to the tenant.

   • Enforce Filesystem Authentication: Toggle this to ON to require user authentication for all filesystems created within this tenant.

   • Enforce Network Space Access: Toggle this to ON to restrict all mount operations to the assigned network space IP addresses.

1. Select Save.

CLI alternative

Parameters

Edit a tenant environment

To modify an existing tenant's resource limits or security configurations, use the Edit Tenant dialog. While a cluster administrator can update quotas and network settings, the Tenant Name, Tenant Admin Username, and password fields are fixed and cannot be modified once the tenant is created.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Tenants tab.

3. Locate the target tenant, select the Actions menu (three vertical dots), and select Edit.

   
4. Modify the tenant properties as needed. For detailed information on these fields, refer to the tenant creation procedure:

   • Tenant Name

   • Capacity Quota and Total Quota

   • Network Spaces

   • Enforce Filesystem Authentication

   • Enforce Network Space Access

   
5. Click Save.

CLI alternative

Add or remove network spaces for a tenant

A network space must be created in advance by a ClusterAdmin. You cannot assign a non-existent network space.

Parameters

Update tenant quotas

Parameters

Update tenant security options

Parameters

Remove a tenant

Deleting a tenant is a permanent action that removes the tenant and its associated configuration. Before proceeding, ensure that the tenant no longer contains active filesystems or S3 buckets.

GUI procedure

1. From the menu, select Manage > Tenants.

2. Select the Tenants tab.

3. Locate the target tenant, select the Actions menu (three vertical dots), and select Edit.

4. In the Remove Tenant dialog, enter the exact Tenant Name to confirm the action.

   
5. Select Confirm.

CLI alternative

Manage tenant security policies

Tenant security operations are part of the broader security configuration and are documented in the Security section.

At a high level, the CLI enables the following tenant-level security tasks:

• List security policies assigned to a tenant.

• Set (replace) security policies for a tenant.

• Reset (remove all) security policies.

• Attach additional security policies.

• Detach specific security policies.

• Revoke all API tokens for a tenant.

These operations are performed using the weka tenant security command group.

Related topic

Manage tenant-level security policies

Manage tenant quality of service

Modify a tenant's performance limits to control resource consumption and ensure quality of service across the cluster.

Parameters

Related topic