Working with users

Modified: 22 Nov 2017 17:38 UTC

Users are login credentials that allow different people in your organization to log in to your Triton account. Sometimes we use the term subuser to emphasize that these users are subordinate to the account owner. User names must be unique within the scope of the account. If there is a Triton account named bigco and another one named littleco, both can have a user named contractor.

The subuser name anonymous is reserved to allow unrestricted access to resources. See The Anonymous User.

Subusers do not currently work with Docker instances. This functionality will be available in a future version of RBAC.

All of the CLI commands involving users are subcommands of the sdc-user command.

$ sdc-user help
SmartDC Account Users and SSH keys associated with them

Usage:
    sdc-user [OPTIONS] COMMAND [ARGS...]
    sdc-user help COMMAND

Options:
    -h, -?, --help         Print help and exit.
    --version              Print version and exit.
    -d, --debug            enable debug/verbose mode (default: disabled)
    -a ARG, --account=ARG  account name. Environment: SDC_ACCOUNT=ARG
    -A ARG, --user=ARG     account sub-user login. Environment: SDC_USER=ARG
    -u ARG, --url=ARG      url for SmartDataCenter API. Environment: SDC_URL=ARG
    -k ARG, --keyId=ARG    your ssh key fingerprint. Environment: SDC_KEY_ID=ARG

Commands:
    help (?)        Help on a specific sub-command.
    list            List your Account Users.
    get             Get an account User by id.
    create          Creates a new User for your account.
    change-password  Updates password for a User of your account.
    update          Updates a User of your account.
    delete          Removes a User from your account.
    keys            List SSH keys for the given user.
    key             Get a SSH key from your account.
    upload-key      Uploads a SSH key for an account User.
    delete-key      Removes the given account User SSH key.

Creating users

Use the sdc-user create command to create a user. You must provide at least

$ sdc-user create --login=maria --password=123secret --email=maria@example.com
{
  "id": "8e9fcc58-3240-4e33-d145-fad9d92c6822",
  "login": "maria",
  "email": "maria@example.com",
  "updated": "2014-07-17T15:32:48.029Z",
  "created": "2014-07-17T15:32:48.029Z"
}

To see a list of the other available fields, use the sdc-user create --help command.

$ sdc-user create --help
Creates a new User for your account.

Usage:
     sdc-user create [OPTIONS]

Options:
    --login=ARG        User login name (required)
    -h, -?, --help     Show this help.
    --name=ARG         User given name
    --surname=ARG      User surname
    --address=ARG      User address
    --city=ARG         User city
    --company=ARG      User company
    --country=ARG      User country
    --email=ARG        User email adress (required)
    --phone=ARG        User phone number
    --postal-code=ARG  User postal code
    --state=ARG        User state
    --password=ARG     User password (required)

Working with SSH keys

For many operations, the user will need an SSH key to access resources.

$ sdc-user upload-key 8e9fcc58-3240-4e33-d145-fad9d92c6822 --name=mariakey ~/.ssh/maria.pub
{
  "name": "mariakey",
  "fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
  "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
}

Use sdc-user key to get a specific user's key.

$ sdc-user key 8e9fcc58-3240-4e33-d145-fad9d92c6822 61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04
{
  "name": "mariakey",
  "fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
  "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
}

Use sdc-user keys to get a list of all the keys a user has. Maria has only one key.

$ sdc-user keys 8e9fcc58-3240-4e33-d145-fad9d92c6822
[
  {
    "name": "mariakey",
    "fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
  }
]

Getting information about users

Use sdc-user list to list all of the users associated with your account.

$ sdc-user list
[
  {
    "id": "11a251a3-7548-66a2-f8e2-cfceb2941370",
    "login": "bob",
    "email": "bob@test.joyent.com",
    "updated": "2014-07-15T04:33:50.351Z",
    "created": "2014-07-15T04:33:50.351Z"
  },
. . .
]

If you've installed json, you can use this for a quick list of all your users' login names and ids.

$  sdc-user list  | json -a login id
bob 11a251a3-7548-66a2-f8e2-cfceb2941370
jill dcd08cdb-4341-e391-f6e8-e39d9ce6c488
maria 8e9fcc58-3240-4e33-d145-fad9d92c6822
romeo 43bc25a6-81f5-6a8f-8677-c098bdb53b7a

Use sdc-user get to get information about a user.

$ sdc-user get 8e9fcc58-3240-4e33-d145-fad9d92c6822
{
  "id": "8e9fcc58-3240-4e33-d145-fad9d92c6822",
  "login": "maria",
  "email": "maria@example.com",
  "updated": "2014-07-17T15:32:48.029Z",
  "created": "2014-07-17T15:32:48.029Z"
}

The --membership option lists all the roles that a user belongs to:

$ sdc-user get 11a251a3-7548-66a2-f8e2-cfceb2941370 --membership
{
  "id": "11a251a3-7548-66a2-f8e2-cfceb2941370",
  "login": "bob",
  "email": "bob@test.joyent.com",
  "roles": [
    "manager",
    "ops"
  ],
  "default_roles": [
    "manager"
  ],
  "updated": "2014-07-15T04:33:50.351Z",
  "created": "2014-07-15T04:33:50.351Z"
}

Changing user information

Use the sdc-user update command to change information about a user. For example, the user romeo doesn't have a city listed. Let's add one.

$ sdc-user get 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
{
  "id": "43bc25a6-81f5-6a8f-8677-c098bdb53b7a",
  "login": "romeo",
  "email": "romeo@example.com",
  "updated": "2014-07-17T17:29:13.526Z",
  "created": "2014-07-17T17:29:13.526Z"
}

$ sdc-user update --city=Verona 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
{
  "id": "43bc25a6-81f5-6a8f-8677-c098bdb53b7a",
  "login": "romeo",
  "email": "romeo@example.com",
  "city": "Verona",
  "updated": "2014-07-18T05:02:31.987Z",
  "created": "2014-07-17T17:29:13.526Z"
}

To change a user's password, use the sdc-user change-password command.

Deleting users

Use sdc-user delete to delete a user.

$ sdc-user delete 43bc25a6-81f5-6a8f-8677-c098bdb53b7a

$ sdc-user get 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
sdc-user: error (ResourceNotFound): 43bc25a6-81f5-6a8f-8677-c098bdb53b7a does not exist

The anonymous user

If you want to allow public access to objects, you can create a subuser with the name anonymous. The anonymous user is used as the user making the request for unauthenticated requests, or if authorization fails for an authenticated user.

With the anonymous user, you can control the conditions under which a resource is publicly accessible by making the anonymous user a member of a role, just like any other user.

Note: Everything under ~~/public is accessible to anyone, regardless of role tags or other context.

Example: Allowing public reads on a Manta object

First, create a user named "anonymous".

$ sdc-user create --login=anonymous --email=ignore@example.com --password=ignored00
{
  "id": "1f73b7bf-2af5-ef70-8630-efc949c48858",
  "login": "anonymous",
  "email": "ignore@example.com",
  "updated": "2014-07-18T05:20:47.593Z",
  "created": "2014-07-18T05:20:47.593Z"
}

Now create a policy with a rule that allows reading of Manta objects. If you followed the Getting started with access control walkthrough, you may already have created this policy.

$ sdc-policy create --name=read --rules='CAN getobject'
{
  "name": "read",
  "id": "3072e003-34f7-c4a5-9f73-a8808de40e26",
  "rules": [
    "CAN getobject"
  ]
}

Next, create a role for the anonymous user.

$ sdc-role create --name='public-read' --members=anonymous \
                  --default-members=anonymous --policies=read
{
  "name": "public-read",
  "id": "94d0d2fc-eeda-4729-d6db-bbd683e249be",
  "members": [
    "anonymous"
  ],
  "default_members": [
    "anonymous"
  ],
  "policies": [
    "read"
  ]
}

Finally, tag the object with the role.

$ mchmod +public-read ~~/stor/readme.txt

As long as readme.txt is tagged with the role public-read, it is available to anyone. You can try this about by using a browser to open

$MANTA_URL/$MANTA_USER/stor/access.log