# Multi-tenancy cluster-level administration ## Overview Multi-tenancy cluster-level administration enables cluster administrators to isolate a single cluster into independent environments, each with its own network boundaries, resource limits, and security policies. This is essential for tenants that need to share infrastructure across multiple teams or business units while maintaining strict separation between them. At the foundation of this model is the **network space**, a cluster-level construct that defines a logical network boundary using a VLAN ID and an IP address range. Network spaces serve as the building blocks for tenant isolation by providing dedicated datapath endpoints. Once network spaces are established, **tenant environments** can be created around them. Each tenant has its own administrator, storage quota, and assigned network spaces. A single tenant can span multiple network spaces to support use cases such as separating data traffic from management services, accommodating clients on different VLANs, and enabling redundant network paths. Administrators control the full tenant lifecycle, creation, configuration, and removal, and can adjust resource limits, security policies, and quality-of-service (QoS) settings at any time. All tasks in this topic require the **ClusterAdmin** role. ## Create a network space A network space defines a cluster-level network boundary, including a VLAN ID and an IP range. After the administrator creates the network space, it can be assigned to a specific tenant to provide isolated datapath endpoints. {% hint style="info" %} The system uses an internal proxy with a default NAT subnet of **198.18.0.0/16**. This range reduces the likelihood of IP address conflicts in customer environments. Each network namespace receives an IP address allocated from this range. To use a different internal IP range, contact the [Customer Success Team](/support/getting-support-for-your-weka-system.md) to override the default. {% endhint %} #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Network Spaces** tab and select **Create**.

3. Provide network space details: * **Network Space Name:** Enter a unique name for the network space (for example, `Eng_net`). * **VLAN ID:** Enter the VLAN ID assigned to this network boundary (for example, `100`). 4. In the **IP Range** section, provide the following: 1. **IP Range:** Enter the starting and ending IP addresses for the network space. If the UI shows a CIDR notation option, do not use it. 2. **Netmask (Bits):** Provide the subnet mask bits (for example, `24`). Default: 16. 3. **Gateway:** Provide an optional default gateway IP address to specify the routing exit point for traffic leaving the local network space. The gateway must be visible from all IPs in range.

5. Select **Save**. #### CLI alternative Use the following command to add a network space: {% code overflow="wrap" %} ```bash weka cluster network-space add [--vlan vlan] [--range range] [--gateway gateway] [--netmask-bits netmask-bits] ``` {% endcode %} **Parameters**

Parameter	Description
`name`*	Unique name for the network-space.
`vlan`	VLAN ID (1..4094) for tagged traffic.
`range`	Specific IP range allocated for this space.
`gateway`	Default gateway IP for the network-space.
`netmask-bits`	Subnet mask bits (1..32). Default: 16.

## Edit a network space Cluster administrators can update the network boundaries of an existing network space, such as changing the VLAN ID or adjusting the IP address pool. While you can modify networking parameters, the network space name remains fixed. #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Network Spaces** tab. 3. Locate the target network space, select the **Actions** menu (three vertical dots), and select **Edit**.

4. Modify the network space properties as needed. For detailed information on these fields, refer to the network space creation procedure: * Update the VLAN ID if required. * Modify the IP Range as described in the creation procedure. * Update the Gateway or Netmask (Bits) if the subnet routing or size has changed. 5. Click **Save**. #### CLI alternative Use the following command to update a network space by its ID: {% code overflow="wrap" %} ```bash weka cluster network-space update [--name name] [--vlan vlan] [--range range] [--gateway gateway] [--netmask-bits netmask-bits] ``` {% endcode %} **Parameters**

Parameter	Description
`id`*	Network space id.
`name`	New name for the network-space.
`vlan`	New VLAN ID (1..4094) for tagged traffic.
`range`	New IP range for the network-space.
`gateway`	New default gateway IP for the network-space.
`netmask-bits`	New subnet mask bits (1..32). Default: 16.

## Remove a network space Removing a network space permanently deletes its configuration from the cluster. Before proceeding, ensure that the network space is no longer assigned to any active tenants. #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Network Spaces** tab. 3. Locate the target Network Space, select the **Actions** menu (three vertical dots), and select **Edit**. 4. In the Remove Network Space dialog, enter the exact Network Space Name to confirm the action.

5. Select **Confirm**. #### CLI alternative ```bash weka cluster network-space remove ``` **Parameters**

Parameter	Description
`name`	Network space name.

## Create a tenant environment To establish a new tenant environment, the cluster administrator defines the tenant's identity, resource limits, and network boundaries. This procedure creates an isolated container where a designated tenant administrator manages their own filesystems, users, and security settings. During creation, you can assign multiple network spaces to a single tenant. This capability allows you to: * Separate data traffic from management services like LDAP or KMS. * Support clients residing on different physical VLANs. * Provide redundant network paths for high availability. #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Tenants** tab and select **Create**.

3. Configure the tenant properties: * **Tenant Name:** Enter a unique name for the tenant (for example, `Engineering`). * **Capacity Quota:** Toggle this to ON to limit the total storage capacity assigned to the tenant. * **Total Quota:** Enter the maximum capacity allowed and select the appropriate unit (for example, `300 GB`). * **Tenant Admin Username:** Enter the username for the tenant administrator (for example, `eng_tenant_admin`). * **Tenant Admin Password:** Enter and confirm a secure password for the tenant administrator. * **Network Spaces:** Select one or more predefined network spaces from the dropdown menu to assign them to the tenant. * **Enforce Filesystem Authentication:** Toggle this to ON to require user authentication for all filesystems created within this tenant. * **Enforce Network Space Access:** Toggle this to ON to restrict all mount operations to the assigned network space IP addresses.

4. Select **Save**. #### CLI alternative ```bash weka tenant add [--ssd-quota ssd-quota] [--total-quota total-quota] [--enforce-fs-authentication enforce-fs-authentication] [--enforce-mount-netspace-access enforce-mount-netspace-access] [--network-spaces network-spaces]... ``` {% hint style="info" %} The CLI prompt requires the password after running the command. {% endhint %} **Parameters**

Parameter	Description
`name`*	Tenant name.
`username`*	Username of the tenant admin.
`password`*	Password of the tenant admin.
`ssd-quota`	SSD quota. Supports decimal or binary units (for example, 1GB, 1GiB).
`total-quota`	Total quota; supports decimal or binary units (for example, 1TB, 1TiB).
`enforce-fs-authentication`	Forces every filesystem under this tenant to require authentication.
`enforce-mount-netspace-access`	Restricts mount requests to only those originating from the tenant's network space.
`network-spaces`...	Network space names to assign (repeatable or comma-separated).

## Edit a tenant environment To modify an existing tenant's resource limits, security configuration, or S3 defaults, use the **Edit Tenant** dialog. While a cluster administrator can update quotas, network settings, and tenant-level S3 settings, the Tenant Name, Tenant Admin Username, and password fields are fixed and cannot be modified once the tenant is created. #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Tenants** tab. 3. Locate the target tenant, select the **Actions** menu (three vertical dots), and select **Edit**.

4. Modify the tenant properties as needed. For detailed information on these fields, refer to the tenant creation procedure: * Tenant Name * Capacity Quota and Total Quota * Network Spaces * Enforce Filesystem Authentication * Enforce Network Space Access * **S3 settings:** Set the tenant-specific S3 defaults: * **Default filesystem:** Filesystem used when a bucket is created through the S3 API without an explicit filesystem. * **Anonymous UID/GID:** POSIX identity assigned to anonymous or public S3 access for this tenant.

5. Click **Save**. {% hint style="info" %} These settings extend the existing S3 defaults to the tenant scope. Use them when different tenants require different bucket placement or anonymous identity mapping. {% endhint %} #### CLI alternative **Add or remove network spaces for a tenant** A network space must be created in advance by a ClusterAdmin. You cannot assign a non-existent network space. {% code overflow="wrap" %} ```bash weka tenant network-space add [--tenant tenant] []... ``` {% endcode %} ```bash weka tenant network-space remove [--tenant tenant] []... ``` **Parameters**

Parameter	Description
`tenant`*	Tenant name (default: current user's tenant).
`network-spaces`...	Network space names to add to or remove from a tenant (can be repeated or comma-separated).

**Update tenant quotas** ```bash weka tenant set-quota [--ssd-quota ] [--total-quota ] ``` **Parameters**

Parameter	Description
`tenant`*	Tenant name or ID.
`ssd-quota`	SSD quota: Capacity in decimal (for example, 1GB) or binary units (for example, 1GiB).
`total-quota`	Total quota: Capacity in decimal (for example, 1TB) or binary units (for example, 1TiB).

**Update tenant security options** {% code overflow="wrap" %} ```bash weka tenant update [--enforce-fs-authentication enforce-fs-authentication] [--enforce-mount-netspace-access enforce-mount-netspace-access] ``` {% endcode %} **Parameters**

Parameter	Description
`tenant`*	Tenant name or ID.
`enforce-fs-authentication`	Forces every filesystem under this tenant to require authentication.
`enforce-mount-netspace-access`	Restricts mount requests to only those originating from the tenant's network space.

## Remove a tenant Deleting a tenant is a permanent action that removes the tenant and its associated configuration. Before proceeding, ensure that the tenant no longer contains active filesystems or S3 buckets. #### **GUI procedure** 1. From the menu, select **Manage > Tenants**. 2. Select the **Tenants** tab. 3. Locate the target tenant, select the **Actions** menu (three vertical dots), and select **Edit**. 4. In the Remove Tenant dialog, enter the exact Tenant Name to confirm the action.

5. Select **Confirm**. #### CLI alternative ```bash weka tenant remove ``` {% hint style="info" %} The CLI prompt requires the password after running the command. {% endhint %} ## Manage tenant security policies Tenant security operations are part of the broader security configuration and are documented in the *Security* section. At a high level, the CLI enables the following tenant-level security tasks: * List security policies assigned to a tenant. * Set (replace) security policies for a tenant. * Reset (remove all) security policies. * Attach additional security policies. * Detach specific security policies. * Revoke all API tokens for a tenant. These operations are performed using the `weka tenant security` command group. **Related topic** [Manage CIDR-based security policies](/security/manage-cidr-based-security-policies.md#manage-tenant-level-security-policies) ## Manage tenant quality of service Modify a tenant's performance limits to control resource consumption and ensure quality of service across the cluster. {% code overflow="wrap" %} ```bash weka tenant set-qos [--max-throughput max-throughput] [--max-iops max-iops] ``` {% endcode %} **Parameters**

Parameter	Description
`tenant`*	The name or ID of the tenant.
`max-throughput`	The maximum total throughput allowed for the tenant per second. Use a number with capacity units in Decimal or Binary: for example, 200GiB or 500GB.
`max-iops`	The maximum total I/O operations allowed for the tenant per second. Use a number without units: for example, 500000.

## Configure tenant S3 settings As a tenant administrator, you can configure dedicated S3 settings for a specific tenant. This includes defining a default filesystem for buckets created through the S3 API and assigning an anonymous POSIX User ID (UID) and Group ID (GID) for anonymous or public S3 access. **Before you begin** Ensure you are logged in with tenant administrator privileges. #### **GUI procedure** 1. Select **Manage > Protocols**. 2. On the S3 Cluster Configuration page, select the plus (+) icon. 3. In the **Configure Tenant S3 Settings** dialog, configure the following fields: * **Default Filesystem:** Select the filesystem to use as a fallback when buckets are created through the S3 API. * **Anonymous Posix UID:** Enter the POSIX User ID to assign for identity mapping during anonymous or public S3 access. The default value is 65534. * **Anonymous Posix GID:** Enter the POSIX Group ID to assign for identity mapping during anonymous or public S3 access. The default value is 65534. 4. Select **Save**.

#### CLI alternative ```bash weka s3 cluster setup update [--default-fs-name default-fs-name] [--anonymous-posix-uid anonymous-posix-uid] [--anonymous-posix-gid anonymous-posix-gid] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.weka.io/operation-guide/weka-native-multi-tenancy-management/multi-tenancy-cluster-level-administration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.