This section describes commands that manage users on the grid controller.
Add a user to the grid controller's local directory service database. The new username/password can be used to log in to the grid controller through the AppLogic visual interface. The following profile properties may be set: 'pwd', 'realname', 'comment', 'sshkey', and 'email'.
user create <name> pwd=- [ group=<group>[,<group>]* ] [ <key1>=<value1> ... ]
Login name of the local user to add. If the user name begins with '-' (e.g., '--myname'), the <name> argument must be preceded with '--' (e.g., '-- --myname').
Prompt for user's password. If the standard input is not a terminal device, it will not print a prompt and expect only one copy of the password on 'stdin' (this can be used for batch operations, to set the password from a file).
A list of groups. The first group in the list becomes the user's primary group. The user is added as a member to all local groups in the list.
One or more profile property settings
user create user1 pwd=-
Add local user 'user1' and prompt for password.
Notes:
Delete an existing user from the grid controller's local directory service database.
user destroy <name>
Name of local user to delete. If the user name begins with '-' (e.g., '--myname'), the <name> argument must be preceded with '--' (e.g., '-- --myname').
user destroy myuser
Delete 'myuser'
Note: This command removes the specified user from the grid's controller. It also removes the user's SSH key, if one was set up, disabling the user's access to the command line interface too.
Display the new object ACL definition associated to a user, or display that portion of the new object ACL definition which relates to a particular principal.
user get_newobj_acl <name> [ <principal> ] [--effective] [ --batch ]
Name of the user; prepend the user name with / to indicate a global user. If the user name is not supplied, information is returned for the user executing the command.
Name of the principal. <principal> is in the following form:
A fully qualified principal name where <scope> is 'global' or 'local', type is 'group' or 'user' and <name> is the group or user name.
Display the ACL which would be created if the user were to create a new object. This option takes in to account any relevant user or group new object ACL definitions.
Display output in UDL format
user get_newobj_acl user1
Get the new object ACL definition associated to the local user 'user1'.
The non-batch output of this command is as follows:
--- Owner Information --- ID Scope Type Name ------------------------------------------------------------------------- <val> <val> <val> <val> --- Entry Information --- ID Scope Type Name Access ------------------------------------------------------------------------------ <val> <val> <val> <val> <val> ... <val> <val> <val> <val> <val>
The batch output of this command is as follows:
acl
{
owner : id=<val> # scope type name
entries
[
id=<val>, access_level1, ... access_levelN, permission1, ... permissionN # scope type name
...
id=<val>, access_level1, ... access_levelN, permission1, ... permissionN # scope type name
]
}
Show a user profile, group membership, and the new object ACL definition associated to the user (if any).
user info [ <name> ] [ --batch ]
Name of the user to display; prepend the user name with / to indicate a global user.
If the local user name begins with '-' (for example, '--myname'), the <name> argument must be preceded with '--' (for example, '-- --myname').
If the user name is not supplied, information is returned for the user executing the command.
Display output in UDL format.
user info user1
Show information for local user 'user1'
Non-batch output:
Comment : <val> E-mail Address : <val> User ID : <val> Locale : <val> Login Name : <val> Real Name : <val> Scope : <val> Primary Group : <val> # scope type name --- Group Membership Information --- ID Scope Type Name --------------------------------------------------------- <val> <val> <val> <val> ... <val> <val> <val> <val> --- New Object ACL Owner Information --- ID Scope Type Name ------------------------------------------------------------------------------ <val> <val> <val> <val> --- New Object ACL Entry Information --- ID Scope Type Name Access ------------------------------------------------------------------------------ <val> <val> <val> <val> <val> ... <val> <val> <val> <val> <val>
Batch output:
user
{
comment = <val>
email = <val>
id = <val>
locale = <val>
loginname = <val>
realname = <val>
scope = <val>
primary_group = <val> # scope type name
group_membership
[
id=<val>, scope=<val>, type=<val>, name=<val>
...
id=<val>, scope=<val>, type=<val>, name=<val>
]
newobj_acl
{
owner: id = <val> # scope type name
entries
[
id = <val>, access_level1, ... access_levelN, permission1, ... permissionN # scope type name
...
id = <val>, access_level1, ... access_levelN, permission1, ... permissionN # scope type name
]
}
}
List users in the grid controller's local directory service and users in the global directory service database (if the grid is configured to use such a service). Only users with login permission on the grid ACL are listed.
user list [ --local | --global ] [ --batch ] [ --extended ] [ --online]
List local users only.
List global users only.
Display output in UDL format.
Include users which do not have login permission on the grid ACL in the output.
List only users that are logged in.
user list
Show a list of users.
If the output includes global users and the --extended option is used, then the command interactively requests a user login name and password to authenticate with the global directory to retrieve a complete list of global users.
The output of this command is as follows:
Non-batch output
Login Name User ID Scope Real Name Login Enabled -------------------------------------------------------------------------------- val val val val val ... The value of Scope is local or global. The value of Login Enabled is yes or no
Batch output
user: loginname="val", id="val", scope="val", realname="val", loginenabled="val" ... The value of loginenabled is 1 or 0.
If the --extended option is specified and a global directory is configured, then the user is prompted to interactively authenticate with the global directory service.
Replace that portion of a new object ACL definition associated to a user which relates to the owner or a principal entry.
user modify_newobj_acl <name> [ <principal>=owner ] [ <principal1>=<val> ... <principalN>=<val> ] [ template=<principal> ] [ --test_only ]
Name of the user; prepend the user name with / to indicate a global user.
Set the owner attribute of the new object ACL definition to the specified principal. The principal must be a group or the referenced user.
Add the specified principal to the new object ACL definition with access level <val>. <principal> is in the following form:
Local user or group.
Global user or group.
A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group' or 'user', and <name> is the group or user name. Valid access levels are: read, control, configure and full.
Replace the principal entries of the new object ACL definition with those of the new object ACL definition associated to the specified principal.
Do not replace the new object ACL definition but rather test if the operation can succeed.
user modify_newobj_acl user1 local:group:admin=full
Modify the new object ACL definition associated to the local user 'user1'.
The owner of a new object ACL definition associated to a user must be that user or a group.
Replace the entire new object ACL definition associated to a user.
user put_newobj_acl <name> [ <principal>=owner ] [ <principal1>=<val> ... <principalN>=<val> ] [ --test_only | --force ]
Name of the user; prepend the user name with / to indicate a global user.
Set the owner attribute of the new object ACL definition to the specified principal. The principal must be a group or the referenced user.
Add the specified principal to the new object ACL definition with access level <val>. <principal> is in the following form:
A fully qualified principal name where <scope> is 'global' or 'local', <type> is 'group' or 'user', and <name> is the group or user name.
Valid access levels are: read, control, configure, and full.
Do not replace the new object ACL definition but rather test if the operation can succeed.
Skip prompting the user for verification.
user put_newobj_acl user1 local:group:admin=owner local:group:admin=full
Put the new object ACL definition associated to the local user 'user1'.
The owner of a new object ACL definition associated to a user must be that user or a group.
Modify a user profile. The following profile properties may be set: 'pwd', 'realname', 'comment', 'sshkey', 'locale', and 'email'. The 'pwd' property may only be set for local users. This command can also be used to set the user's grid access level or primary group.
user set <name> [ group=<group>[,<group>]* ] <key1>=<value1> [ <key2>=<value2> ... ]
Name of the user to modify; prepend the user name with / to indicate a global user. If the local user name begins with '-' (for example, '--myname'), the <name> argument must be preceded with '--' (for example, '-- --myname').
A list of groups. The first group in the list becomes the user's primary group. The user is added as a member to all local groups in the list.
User profile property settings.
user set user1 comment="grid Test User"
Modify comment for local user 'user1'.
Password. The password can be set either directly, by supplying the password string on the command line, or typed to a 'shadow-display' password prompt that does not reveal the entered characters. The shadow entry option is selected by using a single '-' character as the password, that is, pwd=-. The 'shadow display' mode works differently depending on whether the input is a terminal device or not. For a terminal, a prompt is displayed and the password has to be entered twice. For non-terminal input nothing is displayed and the password string is simply read from the input stream once. The pwd=- option should ALWAYS be used to prevent others from potentially seeing the password by hitting the up arrow key. The password is case-sensitive, may consist of any standard keyboard characters [a-z,A-Z, 0-9,and special characters] with the exception of ' ', and must have a length between 6 and 64 characters inclusive.
The real name of the user. This is intended as the 'display' name, used to address the user in GUI prompts.
Arbitrary text, saved with the user's profile.
An SSH public key to install as the user's access key to the CLI. The string provided for this property must be of the form ssh-rsa base-64 encoded key or ssh-dsa base-64 encoded key. This is the form found in the "public key" file produced by the ssh-keygen command from the OpenSSH tool set. Note that SSH clients other than the one from OpenSSH can be used as well - most of them have the ability to export a public key in the OpenSSH format. Note that since the key string contains a space, the entire value has to be enclosed in quotes,e.g. "sshkey=ssh-rsa AAAB3NzaC1ycAI ..." (the example is truncated, the SSH keys are usually a few hundred characters in length. Using copy-and-paste is highly recommended).
Locale. If set to "" (empty), the grid's default locale is used. In order for the change to take effect, user re-login is required.
E-mail address of the user.
Removes the temporary login lockout placed on the specified user ID if repeated attempts to login were made with a wrong password.
user unlock name
Name of the user for which to remove the temporary login lockout. If the local user name begins with '-' (for example, '--myname'), the <name> argument must be preceded with '--' (for example, '-- --myname').
user unlock user@ca.com
Remove temporary login lockout for 'user@ca.com'
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|