This section explains how to enable, disable, and use network multitenancy in Qumulo Core.
In Qumulo Core 5.3.4 (and higher), network multitenancy lets you partition a single physical Qumulo cluster into multiple virtual tenants. You can define a tenant by using a name and one or more networks. When you assign a network to a tenant, Qumulo Core treats any client that connects from that network as part of that tenant. For more information, see Connecting to Multiple Virtual Networks in Qumulo Core.
For each tenant, you can specify individual management protocol access and configuration and file system protocol access and configuration.
All tenants share the cluster’s underlying file system, identity providers, role-based access control (RBAC) configuration, and other global settings.
Prerequisites
If your cluster runs a version of Qumulo Core lower than 6.1.0.3, you must use the
qq multitenancy_enable command to enable multitenancy for your cluster.To manage network multitenancy and tenants, your user must have membership in a Qumulo role with the following privileges.
PRIVILEGE_NETWORK_READ: Viewing networksPRIVILEGE_NETWORK_WRITE: Assigning networks to tenantsPRIVILEGE_TENANT_READ: Viewing tenantsPRIVILEGE_TENANT_WRITE: Enabling network multitenancy and creating, modifying, and deleting tenants
Creating, Configuring, and Unassigning Tenants by Using the qq CLI.
This section explains the lifecycle of working with tenants, including creating tenants, assigning networks to new and existing tenants, viewing tenant configuration, and unassigning tenants.
Creating a tenant and assigning a network to it causes the removal of any static routes from all nodes in a cluster. After creating the new tenant, you must reapply the static routes to your nodes.
Step 1: Create a New Tenant
After you enable multitenancy for your cluster, you can create a new tenant.
Run the qq multitenancy_create_tenant command and specify a name for your tenant. For example:
$ qq multitenancy_create_tenant \
--name my_tenant
Your cluster creates a new tenant with no networks assigned to it. By default, Qumulo Core disables access to the tenant through all protocols.
Step 2: Assign Networks to a Tenant
To allow a tenant to apply its configuration to clients that connect to the cluster from specific networks, you must associate the tenant with one or more networks. To do this, you can:
-
Create a new tenant with networks assigned to it.
-
Assign networks to, and unassign networks from, an existing tenant.
-
Move networks between tenants.
Creating a New Tenant with Assigned Networks
Use the qq multitenancy_create_tenant and specify the tenant name and network ID.
The network must not be assigned to another tenant already.
In the following example, we specify a single network.
$ qq multitenancy_create_tenant \
--name my_tenant_name \
--network-id 2
Assigning a Single Network to an Existing Tenant
To assign a single network to a tenant, modify the tenant that belongs to the network. Run the qq network_mod_network command and specify the network and tenant ID.
$ qq network_mod_network \
--network-id 3 \
--tenant-id 2
Assigning Multiple Networks to an Existing Tenant
To assign multiple networks to a tenant, modify the networks that belong to the tenant. Run the qq multitenancy_modify_tenant
command and specify the tenant and network ID.
Any existing networks not specified after the
--network-id flag become unassigned.In the following example, we specify three networks.
$ qq multitenancy_modify_tenant \
--id 2 \
--network-id 2 3 4
Unassigning a Single Network from a Tenant
To unassign a single network from a tenant, clear the tenant that belongs to the network. Run the qq network_mod_network command and specify the network and the --clear-tenant-id flag.
After you unassign a network from a tenant, you can assign it to another tenant.
$ qq network_mod_network \
--network-id 3 \
--clear-tenant-id
Unassigning All Networks from a Tenant
To unassign all networks from a tenant, clear the networks that belong to the tenant. Run the qq multitenancy_modify_tenant command and specify the tenant and network ID.
- After you unassign a network from a tenant, you can assign it to another tenant.
- Don't specify any arguments for the
--network-idflag.
$ qq multitenancy_modify_tenant \
--id 2 \
--network-id
Moving Networks between Tenants
Run the qq network_mod_network command and specify the network and target tenant.
$ qq network_mod_network \
--network-id 2 \
--tenant-id 1
Step 3: View Tenant Information
To determine a tenant’s network assignments and enabled management and file system protocols, you can view the tenant information.
Viewing Information for a Single Tenant
To view the information for a single tenant, run the qq multitenancy_get_tenant
command.
$ qq multitenancy_get_tenant \
--id 1
Viewing Information for All Tenants
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Network Multitenancy.
-
In the
qqCLI, run theqq multitenancy_list_tenantscommand.
Determining the Tenant Assignment for Networks
-
To view the information for a single network, run the
qq network_get_networkcommand.$ qq network_get_network \ --network-id 2 -
To view the information for all networks, run the
qq network_list_networkscommand.
Step 4: Delete a Tenant
- When you delete a tenant, Qumulo Core removes the tenant's entire configuration from your cluster, including NFS exports and SMB shares associated with the tenant.
- It isn't possible to delete the last tenant.
To delete a tenant, run the qq multitenancy_delete_tenant
command and specify the tenant ID.
$ qq multitenancy_delete_tenant \
--id 2
Known Network Multitenancy Limitations in Qumulo Core
Currently, Qumulo Core doesn’t support:
-
Creating or modifying tenants on cloud-based clusters
-
Using one VLAN on multiple tenants
-
Using a separate Active Directory, standalone LDAP, or user-defined mapping configuration for each tenant
-
Using a separate DNS configuration for each tenant
-
Scoping RBAC privileges to each tenant