Multi tenancy is a function to allow resources of a storage in a large storage system to be distributed to and shared by multiple tenants (companies and divisions).
The multi-tenancy function of VSP One SDS Block is intended for cases where a company-owned storage system is shared by multiple departments. A storage system distributed to each tenant by the multi-tenancy function is called VPS (Virtual Private Storage).
The system configuration that can be perceived by a VPS administrator is limited to the area that the VPS administrator belongs to.
VPS administrator
An administrator who manages a VPS in multi tenancy configuration is called a VPS administrator.
Each VPS is created by a system administrator. VPS administrators can use storage software functions under the defined conditions.
After VPS creation, assign tasks for system administrators and VPS administrators as follows.
| Where resources belong | Category | Administrator in charge |
|---|---|---|
| System (outside of a VPS) | System administrator | |
| Within a VPS | Normal operation | VPS administrator |
| Abnormal operation | System administrator and VPS administrator (acting cooperatively) | |
Roles for VPS administrators
The roles VpsSecurity, VpsStorage, and VpsMonitor are provided for VPS administrators.
The following table shows the main operations of VPS administrators for each role.
|
Role |
Main operations to be performed |
|---|---|
|
VpsSecurity |
Administrators with this role manage users within a VPS they are in charge of. VPS administrators with this role can perform management operations for users, user groups, or sessions as required for a security administrator. Also, the administrators can reference the external authentication server settings necessary for setting users and user groups within a VPS. |
|
VpsStorage |
Administrators with this role manage capacity within a VPS they are in charge of. VPS administrators with this role can perform management operations for the following resources as required for a security administrator.
|
|
VpsMonitor |
VPS administrators with this role can obtain information about the following resources in a VPS they are in charge of.
|
Resources that can be created and where they belong
Resources that can be created in a VPS are listed further on in this section. Created resources belong to the same VPS as the user who created the resources. The resources are given the ID and attribute of the VPS to which they belong.
-
Volume (including snapshot volumes)
-
Compute node
-
Allocating volumes to a compute node (volume path)
-
Access path for a compute node (compute node path)
-
Initiator
-
User
-
User group
-
Session
When VPS administrators are managed on a group basis on the external authentication server, a user can belong to multiple VPSs. In such a case, the VPS ID is "(multiVpsMembership)." If a user whose VPS ID is "(multiVpsMembership)" performs management operations, it is necessary to specify the ID of the VPS to which the operation-target resource belongs to identify the VPS to be accessed.
Scope
A scope is used to specify the range of resources you can operate. A scope is set for user groups, and a user's scope is determined by which user group they belong to.
By default, the scope of user groups for VPS administrators is set with the VPS to which a user who created the VPS belongs.
Increase in the number of VPSs to which users belong affects operation performance of a REST API or CLI. For this reason, when users are managed on a group basis on an external authentication server, allocate the minimum number of VPSs necessary for operation for the scope of user groups.