In these examples, @zzzzz-tpzed-3kz0nwtjehhl0u4@ is the sample user account. Replace with the uuid of the user you wish to manipulate.
-See "user management":{{site.baseurl}}/admin/activation.html for an overview of how to use these commands.
+See "user management":{{site.baseurl}}/admin/user-management.html for an overview of how to use these commands.
h3. Setup a user
When deactivating a user, you may also want to "reassign ownership of their data":{{site.baseurl}}/admin/reassign-ownership.html .
-h3. Directly activate user
+h3(#activate-user). Directly activate user
<notextile>
<pre><code>$ <span class="userinput">arv user update --uuid "zzzzz-tpzed-3kz0nwtjehhl0u4" --user '{"is_active":true}'</span>
"modified_by_client_uuid":null,
"modified_by_user_uuid":null,
"modified_at":null,
- "user_id":3,
"api_client_id":7,
"api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"created_by_ip_address":null,
- "default_owner_uuid":null,
"expires_at":null,
"last_used_at":null,
"last_used_by_ip_address":null,
ARVADOS_API_TOKEN=v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</pre>
-h2. Adding Permissions
+h3(#delete-token). Delete a single token
-h3. VM login
+As a user or admin, if you need to revoke a specific, known token, for example a token that may have been leaked to an unauthorized party, you can delete it at the command line.
-Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@
+First, determine the token UUID. If it is a "v2" format token (starts with "v2/") then the token UUID is middle section between the two slashes. For example:
<pre>
-user_uuid=xxxxxxxchangeme
-vm_uuid=xxxxxxxchangeme
-target_username=xxxxxxxchangeme
+v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+</pre>
-read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
-{
-"tail_uuid":"$user_uuid",
-"head_uuid":"$vm_uuid",
-"link_class":"permission",
-"name":"can_login",
-"properties":{"username":"$target_username"}
-}
-EOF
+the UUID is "zzzzz-gj3su-yyyyyyyyyyyyyyy" and you can skip to the next step.
+
+If you have a "bare" token (only the secret part) then, as an admin, you need to query the token to get the uuid:
+
+<pre>
+$ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv --format=uuid api_client_authorization current
+zzzzz-gj3su-yyyyyyyyyyyyyyy
</pre>
-h3. Git repository
+Now you can delete the token:
-Give @$user_uuid@ permission to commit to @$repo_uuid@ as @$repo_username@
+<pre>
+$ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization delete --uuid zzzzz-gj3su-yyyyyyyyyyyyyyy
+</pre>
+
+h3(#delete-all-tokens). Delete all tokens belonging to a user
+
+First, "obtain a valid token for the user.":#create-token
+
+Then, use that token to get all the user's tokens, and delete each one:
+
+<pre>
+$ ARVADOS_API_TOKEN=xxxxtoken-belonging-to-user-whose-tokens-will-be-deletedxxxxxxxx ; \
+for uuid in $(arv --format=uuid api_client_authorization list) ; do \
+arv api_client_authorization delete --uuid $uuid ; \
+done
+</pre>
+
+h2. Adding Permissions
+
+h3(#vm-login). VM login
+
+Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@ and make sure that @$target_username@ is a member of the @docker@ group
<pre>
user_uuid=xxxxxxxchangeme
-repo_uuid=xxxxxxxchangeme
-repo_username=xxxxxxxchangeme
+vm_uuid=xxxxxxxchangeme
+target_username=xxxxxxxchangeme
read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
{
"tail_uuid":"$user_uuid",
-"head_uuid":"$repo_uuid",
+"head_uuid":"$vm_uuid",
"link_class":"permission",
-"name":"can_write",
-"properties":{"username":"$repo_username"}
+"name":"can_login",
+"properties":{"username":"$target_username", "groups": [ "docker" ]}
}
EOF
</pre>
projects / arvados.git / blobdiff