doc/admin/user-management-cli.html.textile.liquid

   1 ---
   2 layout: default
   3 navsection: admin
   4 title: User management at the CLI
   5 ...
   6 {% comment %}
   7 Copyright (C) The Arvados Authors. All rights reserved.
   8
   9 SPDX-License-Identifier: CC-BY-SA-3.0
  10 {% endcomment %}
  11
  12 Initial setup
  13
  14 <pre>
  15 ARVADOS_API_HOST={{ site.arvados_api_host }}
  16 ARVADOS_API_TOKEN=1234567890qwertyuiopasdfghjklzxcvbnm1234567890zzzz
  17 </pre>
  18
  19 In these examples, @zzzzz-tpzed-3kz0nwtjehhl0u4@ is the sample user account.  Replace with the uuid of the user you wish to manipulate.
  20
  21 See "user management":{{site.baseurl}}/admin/activation.html for an overview of how to use these commands.
  22
  23 h3. Setup a user
  24
  25 This creates a default git repository and VM login.  Enables user to self-activate using Workbench.
  26
  27 <notextile>
  28 <pre><code>$ <span class="userinput">arv user setup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
  29 </code></pre>
  30 </notextile>
  31
  32
  33 h3. Deactivate user
  34
  35 <notextile>
  36 <pre><code>$ <span class="userinput">arv user unsetup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
  37 </code></pre>
  38 </notextile>
  39
  40
  41 When deactivating a user, you may also want to "reassign ownership of their data":{{site.baseurl}}/admin/reassign-ownership.html .
  42
  43 h3. Directly activate user
  44
  45 <notextile>
  46 <pre><code>$ <span class="userinput">arv user update --uuid "zzzzz-tpzed-3kz0nwtjehhl0u4" --user '{"is_active":true}'</span>
  47 </code></pre>
  48 </notextile>
  49
  50 Note: this bypasses user agreements checks, and does not set up the user with a default git repository or VM login.
  51
  52 h3(#create-token). Create a token for a user
  53
  54 As an admin, you can create tokens for other users.
  55
  56 <notextile>
  57 <pre><code>$ <span class="userinput">arv api_client_authorization create --api-client-authorization '{"owner_uuid": "zzzzz-tpzed-fr97h9t4m5jffxs"}'</span>
  58 {
  59  "href":"/api_client_authorizations/zzzzz-gj3su-yyyyyyyyyyyyyyy",
  60  "kind":"arvados#apiClientAuthorization",
  61  "etag":"9yk144t0v6cvyp0342exoh2vq",
  62  "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
  63  "owner_uuid":"zzzzz-tpzed-fr97h9t4m5jffxs",
  64  "created_at":"2020-03-12T20:36:12.517375422Z",
  65  "modified_by_client_uuid":null,
  66  "modified_by_user_uuid":null,
  67  "modified_at":null,
  68  "user_id":3,
  69  "api_client_id":7,
  70  "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  71  "created_by_ip_address":null,
  72  "default_owner_uuid":null,
  73  "expires_at":null,
  74  "last_used_at":null,
  75  "last_used_by_ip_address":null,
  76  "scopes":["all"]
  77 }
  78 </code></pre>
  79 </notextile>
  80
  81
  82 To get the token string, combine the values of @uuid@ and @api_token@ in the form "v2/$uuid/$api_token".  In this example the string that goes in @ARVADOS_API_TOKEN@ would be:
  83
  84 <pre>
  85 ARVADOS_API_TOKEN=v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  86 </pre>
  87
  88 h3(#delete-token). Delete a token
  89
  90 If you need to revoke a token, for example the token is leaked to an unauthorized party, you can delete the token at the command line.
  91
  92 1. First, determine the token UUID.  If it is a "v2" format token (starts with "v2/") then the token UUID is middle section between the two slashes.   For example:
  93
  94 <pre>
  95 v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  96 </pre>
  97
  98 the UUID is "zzzzz-gj3su-yyyyyyyyyyyyyyy" and you can skip to the next step.
  99
 100 If you have a "bare" token (only the secret part) then, as an admin, you need to query the token to get the uuid:
 101
 102 <pre>
 103 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization current
 104 {
 105  "href":"/api_client_authorizations/x33hz-gj3su-fk8nbj4byptz6ma",
 106  "kind":"arvados#apiClientAuthorization",
 107  "etag":"77wktnitqeelbgb4riv84zi2q",
 108  "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
 109  "owner_uuid":"zzzzz-tpzed-j8w1ymjsn4vf4v4",
 110  "created_at":"2020-09-25T15:19:48.606984000Z",
 111  "modified_by_client_uuid":null,
 112  "modified_by_user_uuid":null,
 113  "modified_at":null,
 114  "user_id":3,
 115  "api_client_id":1,
 116  "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 117  "created_by_ip_address":null,
 118  "default_owner_uuid":null,
 119  "expires_at":null,
 120  "last_used_at":null,
 121  "last_used_by_ip_address":null,
 122  "scopes":[
 123   "all"
 124  ]
 125 }
 126 </pre>
 127
 128 2. Now use the token to delete itself:
 129
 130 <pre>
 131 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization delete --uuid zzzzz-gj3su-yyyyyyyyyyyyyyy
 132 </pre>
 133
 134 h2. Adding Permissions
 135
 136 h3. VM login
 137
 138 Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@
 139
 140 <pre>
 141 user_uuid=xxxxxxxchangeme
 142 vm_uuid=xxxxxxxchangeme
 143 target_username=xxxxxxxchangeme
 144
 145 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
 146 {
 147 "tail_uuid":"$user_uuid",
 148 "head_uuid":"$vm_uuid",
 149 "link_class":"permission",
 150 "name":"can_login",
 151 "properties":{"username":"$target_username"}
 152 }
 153 EOF
 154 </pre>
 155
 156 h3. Git repository
 157
 158 Give @$user_uuid@ permission to commit to @$repo_uuid@ as @$repo_username@
 159
 160 <pre>
 161 user_uuid=xxxxxxxchangeme
 162 repo_uuid=xxxxxxxchangeme
 163 repo_username=xxxxxxxchangeme
 164
 165 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
 166 {
 167 "tail_uuid":"$user_uuid",
 168 "head_uuid":"$repo_uuid",
 169 "link_class":"permission",
 170 "name":"can_write",
 171 "properties":{"username":"$repo_username"}
 172 }
 173 EOF
 174 </pre>