projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch '17151-system-token-validation'
[arvados.git] / doc / admin / user-management-cli.html.textile.liquid
1 ---
2 layout: default
3 navsection: admin
4 title: User management at the CLI
5 ...
6 {% comment %}
7 Copyright (C) The Arvados Authors. All rights reserved.
8
9 SPDX-License-Identifier: CC-BY-SA-3.0
10 {% endcomment %}
11
12 Initial setup
13
14 <pre>
15 ARVADOS_API_HOST={{ site.arvados_api_host }}
16 ARVADOS_API_TOKEN=1234567890qwertyuiopasdfghjklzxcvbnm1234567890zzzz
17 </pre>
18
19 In these examples, @zzzzz-tpzed-3kz0nwtjehhl0u4@ is the sample user account.  Replace with the uuid of the user you wish to manipulate.
20
21 See "user management":{{site.baseurl}}/admin/activation.html for an overview of how to use these commands.
22
23 h3. Setup a user
24
25 This creates a default git repository and VM login.  Enables user to self-activate using Workbench.
26
27 <notextile>
28 <pre><code>$ <span class="userinput">arv user setup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
29 </code></pre>
30 </notextile>
31
32
33 h3. Deactivate user
34
35 <notextile>
36 <pre><code>$ <span class="userinput">arv user unsetup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4</span>
37 </code></pre>
38 </notextile>
39
40
41 When deactivating a user, you may also want to "reassign ownership of their data":{{site.baseurl}}/admin/reassign-ownership.html .
42
43 h3. Directly activate user
44
45 <notextile>
46 <pre><code>$ <span class="userinput">arv user update --uuid "zzzzz-tpzed-3kz0nwtjehhl0u4" --user '{"is_active":true}'</span>
47 </code></pre>
48 </notextile>
49
50 Note: this bypasses user agreements checks, and does not set up the user with a default git repository or VM login.
51
52 h3(#create-token). Create a token for a user
53
54 As an admin, you can create tokens for other users.
55
56 <notextile>
57 <pre><code>$ <span class="userinput">arv api_client_authorization create --api-client-authorization '{"owner_uuid": "zzzzz-tpzed-fr97h9t4m5jffxs"}'</span>
58 {
59  "href":"/api_client_authorizations/zzzzz-gj3su-yyyyyyyyyyyyyyy",
60  "kind":"arvados#apiClientAuthorization",
61  "etag":"9yk144t0v6cvyp0342exoh2vq",
62  "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
63  "owner_uuid":"zzzzz-tpzed-fr97h9t4m5jffxs",
64  "created_at":"2020-03-12T20:36:12.517375422Z",
65  "modified_by_client_uuid":null,
66  "modified_by_user_uuid":null,
67  "modified_at":null,
68  "user_id":3,
69  "api_client_id":7,
70  "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
71  "created_by_ip_address":null,
72  "default_owner_uuid":null,
73  "expires_at":null,
74  "last_used_at":null,
75  "last_used_by_ip_address":null,
76  "scopes":["all"]
77 }
78 </code></pre>
79 </notextile>
80
81
82 To get the token string, combine the values of @uuid@ and @api_token@ in the form "v2/$uuid/$api_token".  In this example the string that goes in @ARVADOS_API_TOKEN@ would be:
83
84 <pre>
85 ARVADOS_API_TOKEN=v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
86 </pre>
87
88 h3(#delete-token). Delete a token
89
90 If you need to revoke a token, for example the token is leaked to an unauthorized party, you can delete the token at the command line.
91
92 1. First, determine the token UUID.  If it is a "v2" format token (starts with "v2/") then the token UUID is middle section between the two slashes.   For example:
93
94 <pre>
95 v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
96 </pre>
97
98 the UUID is "zzzzz-gj3su-yyyyyyyyyyyyyyy" and you can skip to the next step.
99
100 If you have a "bare" token (only the secret part) then, as an admin, you need to query the token to get the uuid:
101
102 <pre>
103 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization current
104 {
105  "href":"/api_client_authorizations/x33hz-gj3su-fk8nbj4byptz6ma",
106  "kind":"arvados#apiClientAuthorization",
107  "etag":"77wktnitqeelbgb4riv84zi2q",
108  "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
109  "owner_uuid":"zzzzz-tpzed-j8w1ymjsn4vf4v4",
110  "created_at":"2020-09-25T15:19:48.606984000Z",
111  "modified_by_client_uuid":null,
112  "modified_by_user_uuid":null,
113  "modified_at":null,
114  "user_id":3,
115  "api_client_id":1,
116  "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
117  "created_by_ip_address":null,
118  "default_owner_uuid":null,
119  "expires_at":null,
120  "last_used_at":null,
121  "last_used_by_ip_address":null,
122  "scopes":[
123   "all"
124  ]
125 }
126 </pre>
127
128 2. Now use the token to delete itself:
129
130 <pre>
131 $ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization delete --uuid zzzzz-gj3su-yyyyyyyyyyyyyyy
132 </pre>
133
134 h2. Adding Permissions
135
136 h3. VM login
137
138 Give @$user_uuid@ permission to log in to @$vm_uuid@ as @$target_username@
139
140 <pre>
141 user_uuid=xxxxxxxchangeme
142 vm_uuid=xxxxxxxchangeme
143 target_username=xxxxxxxchangeme
144
145 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
146 {
147 "tail_uuid":"$user_uuid",
148 "head_uuid":"$vm_uuid",
149 "link_class":"permission",
150 "name":"can_login",
151 "properties":{"username":"$target_username"}
152 }
153 EOF
154 </pre>
155
156 h3. Git repository
157
158 Give @$user_uuid@ permission to commit to @$repo_uuid@ as @$repo_username@
159
160 <pre>
161 user_uuid=xxxxxxxchangeme
162 repo_uuid=xxxxxxxchangeme
163 repo_username=xxxxxxxchangeme
164
165 read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
166 {
167 "tail_uuid":"$user_uuid",
168 "head_uuid":"$repo_uuid",
169 "link_class":"permission",
170 "name":"can_write",
171 "properties":{"username":"$repo_username"}
172 }
173 EOF
174 </pre>