Working with users
Users are login credentials that allow different people in your organization to log in to your Triton account. Sometimes we use the term subuser to emphasize that these users are subordinate to the account owner. User names must be unique within the scope of the account. If there is a Triton account named bigco and another one named littleco, both can have a user named contractor.
The subuser name anonymous is reserved to allow unrestricted access to resources. See The Anonymous User.
Subusers do not currently work with Docker instances. This functionality will be available in a future version of RBAC.
All of the CLI commands involving users are subcommands of the sdc-user command.
$ sdc-user help
SmartDC Account Users and SSH keys associated with them
Usage:
sdc-user [OPTIONS] COMMAND [ARGS...]
sdc-user help COMMAND
Options:
-h, -?, --help Print help and exit.
--version Print version and exit.
-d, --debug enable debug/verbose mode (default: disabled)
-a ARG, --account=ARG account name. Environment: SDC_ACCOUNT=ARG
-A ARG, --user=ARG account sub-user login. Environment: SDC_USER=ARG
-u ARG, --url=ARG url for SmartDataCenter API. Environment: SDC_URL=ARG
-k ARG, --keyId=ARG your ssh key fingerprint. Environment: SDC_KEY_ID=ARG
Commands:
help (?) Help on a specific sub-command.
list List your Account Users.
get Get an account User by id.
create Creates a new User for your account.
change-password Updates password for a User of your account.
update Updates a User of your account.
delete Removes a User from your account.
keys List SSH keys for the given user.
key Get a SSH key from your account.
upload-key Uploads a SSH key for an account User.
delete-key Removes the given account User SSH key.Creating users
Use the sdc-user create command to create a user. You must provide at least
- a login name
- a password
- an email address
$ sdc-user create --login=maria --password=123secret --email=maria@example.com
{
"id": "8e9fcc58-3240-4e33-d145-fad9d92c6822",
"login": "maria",
"email": "maria@example.com",
"updated": "2014-07-17T15:32:48.029Z",
"created": "2014-07-17T15:32:48.029Z"
}To see a list of the other available fields, use the sdc-user create --help command.
$ sdc-user create --help
Creates a new User for your account.
Usage:
sdc-user create [OPTIONS]
Options:
--login=ARG User login name (required)
-h, -?, --help Show this help.
--name=ARG User given name
--surname=ARG User surname
--address=ARG User address
--city=ARG User city
--company=ARG User company
--country=ARG User country
--email=ARG User email adress (required)
--phone=ARG User phone number
--postal-code=ARG User postal code
--state=ARG User state
--password=ARG User password (required)Working with SSH keys
For many operations, the user will need an SSH key to access resources.
$ sdc-user upload-key 8e9fcc58-3240-4e33-d145-fad9d92c6822 --name=mariakey ~/.ssh/maria.pub
{
"name": "mariakey",
"fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
}Use sdc-user key to get a specific user's key.
$ sdc-user key 8e9fcc58-3240-4e33-d145-fad9d92c6822 61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04
{
"name": "mariakey",
"fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
}Use sdc-user keys to get a list of all the keys a user has. Maria has only one key.
$ sdc-user keys 8e9fcc58-3240-4e33-d145-fad9d92c6822
[
{
"name": "mariakey",
"fingerprint": "61:62:35:66:e6:e0:91:6a:fc:dc:d2:1b:90:52:51:04",
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnrt...fMp maria@example.com\n"
}
]Getting information about users
Use sdc-user list to list all of the users associated with your account.
$ sdc-user list
[
{
"id": "11a251a3-7548-66a2-f8e2-cfceb2941370",
"login": "bob",
"email": "bob@test.example.com",
"updated": "2014-07-15T04:33:50.351Z",
"created": "2014-07-15T04:33:50.351Z"
},
. . .
]If you've installed json, you can use this for a quick list of all your users' login names and ids.
$ sdc-user list | json -a login id
bob 11a251a3-7548-66a2-f8e2-cfceb2941370
jill dcd08cdb-4341-e391-f6e8-e39d9ce6c488
maria 8e9fcc58-3240-4e33-d145-fad9d92c6822
romeo 43bc25a6-81f5-6a8f-8677-c098bdb53b7aUse sdc-user get to get information about a user.
$ sdc-user get 8e9fcc58-3240-4e33-d145-fad9d92c6822
{
"id": "8e9fcc58-3240-4e33-d145-fad9d92c6822",
"login": "maria",
"email": "maria@example.com",
"updated": "2014-07-17T15:32:48.029Z",
"created": "2014-07-17T15:32:48.029Z"
}The --membership option lists all the roles that a user belongs to:
$ sdc-user get 11a251a3-7548-66a2-f8e2-cfceb2941370 --membership
{
"id": "11a251a3-7548-66a2-f8e2-cfceb2941370",
"login": "bob",
"email": "bob@test.example.com",
"roles": [
"manager",
"ops"
],
"default_roles": [
"manager"
],
"updated": "2014-07-15T04:33:50.351Z",
"created": "2014-07-15T04:33:50.351Z"
}Changing user information
Use the sdc-user update command to change information about a user. For example, the user romeo doesn't have a city listed. Let's add one.
$ sdc-user get 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
{
"id": "43bc25a6-81f5-6a8f-8677-c098bdb53b7a",
"login": "romeo",
"email": "romeo@example.com",
"updated": "2014-07-17T17:29:13.526Z",
"created": "2014-07-17T17:29:13.526Z"
}
$ sdc-user update --city=Verona 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
{
"id": "43bc25a6-81f5-6a8f-8677-c098bdb53b7a",
"login": "romeo",
"email": "romeo@example.com",
"city": "Verona",
"updated": "2014-07-18T05:02:31.987Z",
"created": "2014-07-17T17:29:13.526Z"
}To change a user's password, use the sdc-user change-password command.
Deleting users
Use sdc-user delete to delete a user.
$ sdc-user delete 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
$ sdc-user get 43bc25a6-81f5-6a8f-8677-c098bdb53b7a
sdc-user: error (ResourceNotFound): 43bc25a6-81f5-6a8f-8677-c098bdb53b7a does not existThe anonymous user
If you want to allow public access to objects, you can create a subuser with the name anonymous. The anonymous user is used as the user making the request for unauthenticated requests, or if authorization fails for an authenticated user.
With the anonymous user, you can control the conditions under which a resource is publicly accessible by making the anonymous user a member of a role, just like any other user.
Note: Everything under ~~/public is accessible to anyone, regardless of role tags or other context.
Example: Allowing public reads on a Manta object
First, create a user named "anonymous".
$ sdc-user create --login=anonymous --email=ignore@example.com --password=ignored00
{
"id": "1f73b7bf-2af5-ef70-8630-efc949c48858",
"login": "anonymous",
"email": "ignore@example.com",
"updated": "2014-07-18T05:20:47.593Z",
"created": "2014-07-18T05:20:47.593Z"
}Now create a policy with a rule that allows reading of Manta objects. If you followed the Getting started with access control walkthrough, you may already have created this policy.
$ sdc-policy create --name=read --rules='CAN getobject'
{
"name": "read",
"id": "3072e003-34f7-c4a5-9f73-a8808de40e26",
"rules": [
"CAN getobject"
]
}Next, create a role for the anonymous user.
$ sdc-role create --name='public-read' --members=anonymous \
--default-members=anonymous --policies=read
{
"name": "public-read",
"id": "94d0d2fc-eeda-4729-d6db-bbd683e249be",
"members": [
"anonymous"
],
"default_members": [
"anonymous"
],
"policies": [
"read"
]
}Finally, tag the object with the role.
$ mchmod +public-read ~~/stor/readme.txtAs long as readme.txt is tagged with the role public-read, it is available to anyone. You can try this about by using a browser to open
$MANTA_URL/$MANTA_USER/stor/access.log