4 title: User management at the CLI
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
15 ARVADOS_API_HOST={{ site.arvados_api_host }}
16 ARVADOS_API_TOKEN=1234567890qwertyuiopasdfghjklzxcvbnm1234567890zzzz
19 In these examples, @zzzzz-tpzed-3kz0nwtjehhl0u4@ is the sample user account. Replace with the uuid of the user you wish to manipulate.
21 See "user management":{{site.baseurl}}/admin/user-management.html for an overview of how to use these commands.
25 This creates a default git repository and VM login. Enables user to self-activate using Workbench.
28 <pre><code>$ <span class="userinput">arv user setup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
36 <pre><code>$ <span class="userinput">arv user unsetup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
41 When deactivating a user, you may also want to "reassign ownership of their data":{{site.baseurl}}/admin/reassign-ownership.html .
43 h3(#activate-user). Directly activate user
46 <pre><code>$ <span class="userinput">arv user update --uuid "zzzzz-tpzed-3kz0nwtjehhl0u4" --user '{"is_active":true}'</span>
50 Note: this bypasses user agreements checks, and does not set up the user with a default git repository or VM login.
52 h3(#create-token). Create a token for a user
54 As an admin, you can create tokens for other users.
57 <pre><code>$ <span class="userinput">arv api_client_authorization create --api-client-authorization '{"owner_uuid": "zzzzz-tpzed-fr97h9t4m5jffxs"}'</span>
59 "href":"/api_client_authorizations/zzzzz-gj3su-yyyyyyyyyyyyyyy",
60 "kind":"arvados#apiClientAuthorization",
61 "etag":"9yk144t0v6cvyp0342exoh2vq",
62 "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
63 "owner_uuid":"zzzzz-tpzed-fr97h9t4m5jffxs",
64 "created_at":"2020-03-12T20:36:12.517375422Z",
65 "modified_by_client_uuid":null,
66 "modified_by_user_uuid":null,
70 "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
71 "created_by_ip_address":null,
72 "default_owner_uuid":null,
75 "last_used_by_ip_address":null,
82 To get the token string, combine the values of @uuid@ and @api_token@ in the form "v2/$uuid/$api_token". In this example the string that goes in @ARVADOS_API_TOKEN@ would be:
85 ARVADOS_API_TOKEN=v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
88 h3(#delete-token). Delete a single token
90 As a user or admin, if you need to revoke a specific, known token, for example a token that may have been leaked to an unauthorized party, you can delete it at the command line.
92 First, determine the token UUID. If it is a "v2" format token (starts with "v2/") then the token UUID is middle section between the two slashes. For example:
95 v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
98 the UUID is "zzzzz-gj3su-yyyyyyyyyyyyyyy" and you can skip to the next step.
100 If you have a "bare" token (only the secret part) then, as an admin, you need to query the token to get the uuid:
103 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv --format=uuid api_client_authorization current
104 zzzzz-gj3su-yyyyyyyyyyyyyyy
107 Now you can delete the token:
110 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization delete --uuid zzzzz-gj3su-yyyyyyyyyyyyyyy
113 h3(#delete-all-tokens). Delete all tokens belonging to a user
115 First, "obtain a valid token for the user.":#create-token
117 Then, use that token to get all the user's tokens, and delete each one:
120 $ ARVADOS_API_TOKEN=xxxxtoken-belonging-to-user-whose-tokens-will-be-deletedxxxxxxxx ; \
121 for uuid in $(arv --format=uuid api_client_authorization list) ; do \
122 arv api_client_authorization delete --uuid $uuid ; \
126 h2. Adding Permissions
128 h3(#vm-login). VM login
130 Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@ and make sure that @$target_username@ is a member of the @docker@ group
133 user_uuid=xxxxxxxchangeme
134 vm_uuid=xxxxxxxchangeme
135 target_username=xxxxxxxchangeme
137 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
139 "tail_uuid":"$user_uuid",
140 "head_uuid":"$vm_uuid",
141 "link_class":"permission",
143 "properties":{"username":"$target_username", "groups": [ "docker" ]}
150 Give @$user_uuid@ permission to commit to @$repo_uuid@ as @$repo_username@
153 user_uuid=xxxxxxxchangeme
154 repo_uuid=xxxxxxxchangeme
155 repo_username=xxxxxxxchangeme
157 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
159 "tail_uuid":"$user_uuid",
160 "head_uuid":"$repo_uuid",
161 "link_class":"permission",
163 "properties":{"username":"$repo_username"}