Enterprise Multi-Tenancy

SeaweedFS Enterprise adds native multi-tenancy so a single cluster can safely host workloads belonging to many isolated teams, customers, or environments. Each tenant sees only their own buckets, files, and Iceberg namespaces; cross-tenant access is denied at every surface — admin UI, filer HTTP, filer gRPC, S3, and Iceberg. Turning it on also enables role-based access control, per-tenant byte quotas, and audit logging. When the feature flag is off, the cluster behaves exactly like OSS SeaweedFS — zero impact on deployments that don’t opt in.

When to use it

  • Shared infrastructure, separated tenants — consolidate multiple teams or customers onto one cluster without the risk of accidental cross-access.
  • SaaS multi-tenant hosting — map each customer to a tenant; their S3 credentials carry the tenant ID, and per-customer quotas drive billing.
  • Environment separation — run dev, staging, and prod as tenants on one cluster, with different roles per environment.
  • Data lakes with read-only analyst groups — give analysts auditor access and pipeline service accounts tenant-user.
  • Kubernetes isolation — scope a per-namespace mount to /tenants/<ns>/ so pods can’t reach another namespace’s data.

How to use it

  1. Enable the feature flag in filer.toml ([filer.enterprise.multi_tenancy] enabled = true) and turn on audit logging, then restart the filer.
  2. Bootstrap a platform admin in weed shell: platform.bootstrap -id alice -password "..." -name "Alice Admin".
  3. Create a tenant with a quota: tenant.create -id acme -name "Acme Corp" -quota-bytes-hard 10737418240.
  4. Attach a collection (becomes an S3 bucket of the same name): tenant.collection.add -tenant acme -name acme-data.
  5. Create users and bind roles: principal.create then binding.create -role tenant-admin -scope tenant:acme.

Users then sign in to the admin UI (local or OIDC), use S3 with tenant-stamped access keys, or weed mount with a JWT scoped to their /tenants/<id>/ subtree — every access checked against bindings and quotas.

Benefits

  • Least-privilege by default — four built-in roles (platform-admin, tenant-admin, tenant-user, auditor) plus custom roles, instead of per-path ACLs.
  • Billable, observable capacity — per-tenant byte quotas and counters make chargeback and capacity planning straightforward.
  • Compliance-ready audit trail — every mutation and enforcement decision is a structured JSON-Lines event, ready for SIEM.
  • One identity, every surface — a single principal works across the admin UI, filer, S3, and Iceberg.
  • Defense in depth — isolation enforced at HTTP, gRPC, S3, and the storage layer, not just one place.
  • Smooth adoption — legacy auth flags keep working, so you can roll out tenant by tenant; clusters with the flag off stay byte-compatible with OSS.

Want the internals — the access model, full config keys, the weed shell command catalog, quotas, JWT claim format, the operator cookbook, and troubleshooting? See the Multi-Tenancy technical reference.