summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
7885ae2)
Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
-Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@
+Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@ and make sure that @$target_username@ is a member of the @docker@ group
<pre>
user_uuid=xxxxxxxchangeme
<pre>
user_uuid=xxxxxxxchangeme
"head_uuid":"$vm_uuid",
"link_class":"permission",
"name":"can_login",
"head_uuid":"$vm_uuid",
"link_class":"permission",
"name":"can_login",
-"properties":{"username":"$target_username"}
+"properties":{"username":"$target_username", "groups": [ "docker" ]}
* @owner_uuid@ of the system user.
* @link_class@ "permission"
* @owner_uuid@ of the system user.
* @link_class@ "permission"
-* @name@ one of *can_read*, *can_write* or *can_manage*
+* @name@ one of *can_read*, *can_write*, *can_manage* or *can_login*
* @head_uuid@ of some Arvados object
* @tail_uuid@ of a User or Group. For Group, the @group_class@ must be a "role".
* @head_uuid@ of some Arvados object
* @tail_uuid@ of a User or Group. For Group, the @group_class@ must be a "role".
If a User has *can_manage* permission on some object, the user has the ability to read, create, update and delete permission links with @head_uuid@ of the managed object. In other words, the user has the ability to modify the permission grants on the object.
If a User has *can_manage* permission on some object, the user has the ability to read, create, update and delete permission links with @head_uuid@ of the managed object. In other words, the user has the ability to modify the permission grants on the object.
+The *can_login* @name@ is only meaningful on a permission link with with @tail_uuid@ a user UUID and @head_uuid@ a Virtual Machine UUID. A permission link of this type gives the user UUID permission to log into the Virtual Machine UUID. The username for the VM is specified in the @properties@ field. Group membership can be specified that way as well, optionally. See the "VM login section on the CLI cheat sheet":/install/cheat_sheet.html#vm-login for an example.
+
h3. Transitive permissions
Permissions can be obtained indirectly through nested ownership (*can_manage*) or by following multiple permission links.
h3. Transitive permissions
Permissions can be obtained indirectly through nested ownership (*can_manage*) or by following multiple permission links.