.. _UserManagement: *************** User Management *************** This section provides an overview of user management on a Robin Platform cluster and the underlying Kubernetes cluster. **Topics covered in this chapter:** ================================================ ========================================================= ``robin user add`` Add a new user to the Robin Platform cluster ``robin user update`` Update a user's attributes ``robin user remove`` Remove a user from the Robin Platform cluster ``robin user list`` List Robin Platform cluster users ``robin login`` Log into the Robin Platform cluster ``robin password change`` Change the password for the current Robin Platform user ``robin user change-tenant`` Change the tenant for the current user ``robin user change-tenant-role`` Change the role a user has for specified tenant ``robin capabilities list`` List details about user capabilities that can be assigned to users ``robin capabilities add`` Add a custom user capability ``robin capabilities remove`` Remove a custom user capability ``robin capabilities update`` Update one or more attributes for a custom user capability ``robin capabilities add-capability-entries`` Add one or more capability entries to a custom user capability ``robin capabilities remove-capability-entries`` Remove one or more capability entries from a custom user capability ``robin capabilities add-providers`` Add one or more capability providers to a custom user capability ``robin capabilities remove-providers`` Remove one or more capability providers from a custom user capability ``robin object-shares list-options`` List operations that can be shared with users for various sharable objects ``robin ldap add-server`` Add an LDAP server ``robin ldap remove-server`` Remove an LDAP server ``robin ldap list-servers`` List named LDAP server or all LDAP servers ``robin ldap list-groups`` List one or more LDAP groups ``robin ldap list-users`` List one or more LDAP users ``robin ldap import-users`` Import one or more LDAP users ``robin ldap import-group`` Import members of a LDAP group ``robin ldap list-attributes`` List LDAP attributes ``robin ldap update-attribute`` Update an LDAP attribute ``robin ldap reset-attribute`` Reset an LDAP attribute to its default value ``robin openshift list-users`` List one or more OpenShift users or all OpenShift users ``robin openshift list-groups`` List one or more OpenShift groups or all OpenShift groups ``robin openshift import-users`` Import one or more OpenShift users ``robin openshift import-group`` Import all users from an OpenShift groups ================================================ ========================================================= ========================== Kubernetes user management ========================== .. Note:: Details on Kubernetes user management are provided for information purposes only. The Robin Platform handles all interaction between Robin Server and the Kubernetes API Server on behalf of all Robin Platform users. Kubernetes clusters support two categories of users: service accounts, and normal users (users). Service accounts are managed by the Kubernetes cluster. But Kubernetes doesn't have a mechanism for managing users. In fact, it doesn't even contain an object that represents a user, and there is no way for a user to log into a Kubernetes cluster. In a Kubernetes cluster, user management is off-loaded to an external facility or auth provider. *Namespaces* Kubernetes provides a construct, called 'namespace', which allows a cluster to be partitioned into multiple "virtual clusters". Names for resources deployed in a namespace must be unique, but that restriction does not apply across namespaces. In addition to isolating application resources, namespaces also provide a way to isolate groups of users and apportion cluster resources to those groups. *Usernames* In a Kubernetes cluster, each user is identified by a unique username and possibly one or more affiliated group names. Kubernetes maps (binds) the username and affiliated group names to roles that define which resources can be accessed and which operations can be performed on those resources. These role bindings can apply to a specific namespace or they can apply across the entire cluster (namespaced roles bindings cannot reference more than one namespace). There are no hard and fast rules regarding what form a Kubernetes username may take. It may be a user's email address that they use when authenticating themselves with an authentication provider. Or it may be an arbitrary name that is encoded in an externally generated TLS certificate. Whatever username is specified, it needs to map to role bindings that provide full access to the namespace where the user's applications are deployed (this should already be the case if the user used Helm or an operator to deploy their application). It is beyond the scope of this document to determine how Kubernetes users should be managed. The following command can be used, however, to ensure that a username is mapped to a role with adequate permissions for a specific namespace:: $ kubectl create rolebinding --clusterrole=edit --user= -n= *Authentication and authorization* Each time a user issues a kubectl or helm command, their credentials (bearer token, TLS certificate, username/password, etc.) are sent on their behalf to the Kubernetes API server. There, the API server performs a user authentication check and if the user is authenticated, the user's username and group names are matched against role bindings, to determine if the user is authorized to perform the requested operation. If the user is not authenticated, or the user does not have adequate permissions to perform the operation, then an error will be returned. ===================== Robin user management ===================== Robin Platform includes a robust user management system with Role Based Access Control (RBAC) that allows fine grain control of what operations each user is able to perform and which resources they are able to access. Robin Platform also manages all interactions with the Kubernetes API Server on behalf of all Robin users. **Users** Each person accessing a Robin cluster should do so using their own user account. The user account contains a username and Id that uniquely identifies the user within the cluster. All objects created by the user (e.g., applications) will be tagged with the user's Id. The user account also contains key attributes about the user, such as first and last name, email address, phone number, etc., and provides a means for authenticating the user when they log into the cluster. **Tenants** Tenants are a Robin Platform construct that allows users to be organized into discrete groups based on function or business requirements. A user can be a member of multiple tenants, but each user is only able to access resources that are bound to the tenant they are currently logged into (e.g., a user would not be able to access an application they deployed when they were logged into a different tenant). **User roles** Each Robin user is assigned a role for each tenant they are a member of. The role determines which capabilities the user has and which objects they are able to access. Users who are assigned to multiple tenants can have a different role for each tenant they are a member of. Currently there are three roles that can be assigned to a user: * **superadmin** -- A user assigned the superadmin role has full access to all cluster objects and resources (including those bound to individual tenants), and is able to perform all administrative functions in the Robin Platform cluster, such as adding users to the cluster, registering and sharing storage repositories, exporting/importing application backups, etc. Note that the superadmin role can only be assigned to a member of the **Administrators** tenant. * **tenantadmin** -- A user assigned the tenantadmin role has many of the same permissions as user with the superadmin role. But their scope is limited to a particular tenant which they are a member of. A tenantadmin user is able to view all resources bound to their respective tenant, can register and share storage repositories, export/import application backups, etc. * **user** -- A user assigned the user role has no cluster admin capabilities and is, generally speaking, limited to managing the applications they have deployed or registered. **Authentication and authorization** Every command issued using the Robin Platform CLI results in a request being sent to the Robin Server. Before acting on the request, a check is made to ensure that the user making the request is authenticated and that they are authorized to perform the requested action on the specified object type. Each request sent to the Robin Server contains a token that includes the username of the user, the tenant they are currently logged into, and an expiration timestamp. If the token is invalid (malformed) or it has expired, then the request will be denied. If the user is authenticated, then an authorization check is performed. The first phase of the authorization check ensures that the user has adequate permissions to access the request method. The user needs to have the **view** permission for the specified object type when making a call to GET, the **create** permission when making a call to POST, the **modify** permission when making a call to PUT, and the **delete** permission when making a call to DELETE. For example, if the user issued the following Robin Platform CLI command: ``robin app list`` then a check will be made to ensure the user has permission to **view** objects of type APPLICATION. When making a request to modify specific object instances, an additional check may be made to see if the user has permission to perform the specified action. For example, when a user issues a command to stop an application instance, before the action is taken a check is made to ensure the user has permission to perform the **stop** action on objects of type APPLICATION. If the action the user wishes to perform will be applied to an actual object instance (which would normally be the case when making a request to modify or delete an object), then an additional check will be performed to ensure that the user is able to access the referenced object. Access to the object will be granted if one of the following conditions is met: * The user created and owns the object instance * The user has been assigned the tenantadmin role for the tenant the object is bound to, and they are logged into that tenant. * The user has been assigned the superadmin role, and they are logged into the Administrators tenant * The object type supports sharing and it has explicitly been shared with the user (for the requested action) or it has been shared with the user's tenant (for the requested action). Note that not all object types support additional actions beyond the standard permissions: **view**, **create**, **update**, and **delete**. **User capabilities** In addition to being assigned a role when they are added to a tenant, users are also assigned one or more User Capabilities. User capabilities are groupings of permissions that map individual object types to specific operations. As was outlined above, each object type has four permission mappings that map to standard API endpoint methods, GET, POST, PUT, and DELETE (**view**, **create**, **update**, and **delete** respectively). Additional permission mappings are provided that allow for a more granular level of access control. These additional mappings all extend the **update** permission, which controls the modification of existing objects. All object update operations for an object type are handled by its PUT method. Object permission mappings are hierarchical in nature. For example, before you can **start** or **stop** an application, you first must be able to access (**view**) the application. Including the **view**, **update**, **start**, and **stop** permission mappings in the same user capability would be one way to accomplish this. Doing so would impose some significant limitations, however. It would make it nearly impossible to allow one set of users to have full access to apps and another to have **view only** capabilities. To allow for a higher degree of flexibility, user capabilities support the concept of inheritance. A user capability only needs to include permission mappings that make sense for the stated purpose of the user capability (e.g., **Manage Applications**). Dependent permission mappings defined in other user capabilities are included in the capability's list of providers. Below is an example of how this works. The ``ManageApplications`` user capability inherits various user capabilities (providers) such as ``ViewApplications``, ``ViewBackups``, ``ViewInstances``, etc. It also defines permission mappings that pertain specifically to the management of application objects. .. code-block:: text { "id":3, "name":"ManageApplications", "capability_group":"Application", "description":"Manage Applications" "hidden":false, "tenant_roles":[ "superadmin", "tenantadmin", "user" ], "providers":[ "ViewApplications", "ViewBackups", "ViewInstances", "ManageInstances", "ViewDocker", "ViewTags", "ViewResourcePools", "ViewBundles", "ViewImages", "ViewConfig", "ViewEvents", "ViewNetworking", "ViewNodes", "ViewJobs", "ViewZones", "ViewStorageArray", "ViewNFSExports" ], "capability_entries":[ { "object_type":"APPLICATION", "operation":"add_repo" }, { "object_type":"APPLICATION", "operation":"addkey" }, { "object_type":"APPLICATION", "operation":"addtrigger" }, { "object_type":"APPLICATION", "operation":"addvol" }, { "object_type":"APPLICATION", "operation":"computeqos" }, { "object_type":"APPLICATION", "operation":"config" }, { "object_type":"APPLICATION", "operation":"deltrigger" }, { "object_type":"APPLICATION", "operation":"delvol" }, { "object_type":"APPLICATION", "operation":"expandvol" }, { "object_type":"APPLICATION", "operation":"hydrate" }, { "object_type":"APPLICATION", "operation":"moveresources" }, { "object_type":"APPLICATION", "operation":"probe" }, { "object_type":"APPLICATION", "operation":"redeploy" }, { "object_type":"APPLICATION", "operation":"register" }, { "object_type":"APPLICATION", "operation":"remove_repo" }, { "object_type":"APPLICATION", "operation":"restart" }, { "object_type":"APPLICATION", "operation":"rollback" }, { "object_type":"APPLICATION", "operation":"run_hook" }, { "object_type":"APPLICATION", "operation":"scale" }, { "object_type":"APPLICATION", "operation":"setreslimits" }, { "object_type":"APPLICATION", "operation":"start" }, { "object_type":"APPLICATION", "operation":"stop" }, { "object_type":"APPLICATION", "operation":"storageqos" }, { "object_type":"APPLICATION", "operation":"unregister" }, { "object_type":"APPLICATION", "operation":"update" }, { "object_type":"APPLICATION", "operation":"update_hpa" }, { "object_type":"APPLICATION", "operation":"upgrade" }, { "object_type":"SNAPSHOT", "operation":"update" } ] } .. note:: Each user capability contains a list of the user roles it can be use with. There are certain, special user capabilities that contain all of the permission mappings (including those provided via inheritance) needed for each user role. These are ``AllUserCapabilities``, ``AllTenantAdminCapabilities``, and ``AllSuperAdminCapabilities``. **User permissions** Each user that logs into a Robin cluster has a set of permission mappings that determine which operations they can perform on which object types. The set of permission mappings is determined by which user capabilities have been assigned to the user for the tenant they are currently logged into (users have a different set of permission mappings for each tenant they are a member of). A user's current permissions are the set of all permission mappings assigned to the user based on their assigned user capabilities, plus those from all inherited capabilities. .. note:: If multiple user capabilities assigned to a user inherit the same user capability, only one set of the inherited permission mappings will be assigned to the user. **Custom user capabilities** Robin provides a wide range of user capabilities that address the needs of users at various levels (cluster administrators, tenant administrators, and regular users). By default, each user when added to a tenant, will be assigned one of the following user capabilities, based on their assigned tenant role: * **superadmin** -- ``AllSuperAdminCapabilities`` * **tenantadmin** -- ``AllTenantAdminCapabilities`` * **user** -- ``AllUserCapabilities`` Each of the above user capabilities provides the user with a full set of permissions appropriate for the role they have been assigned. It does this by including all relevant user capabilities in the provider list of the assigned capability. Cluster administrators can remove select capabilities from a user. They cannot, however, add or remove individual permissions. Nor are they able to give a user a specific set of permissions. If there is a need for this, then a custom user capability might be the way to go. Custom user capabilities give cluster administrators the ability to give a user only those permissions needed for a particular use case. The permission mappings can be specified in a number of ways: * By including user capabilities that provide the desired permission mappings in the custom capability's **providers** list. * By including individual permission mappings in the custom capability's **capability entries** list. * By employing a combination of **providers** and **capability entries**. When creating a custom user capability, you need to specify which user roles the capability can be used with. For example, a custom capability that focuses on cluster infrastructure probably should be limited in scope to users having the ``superadmin`` role. Use the following command to see which of the current user capabilities (including custom capabilities) might provide the desired set of permissions (or a sub-set of this list). ``robin capabilities list-options --full`` You can narrow the output by including the ``--group`` command line option, or you can specify specific user capabilities on the command line. When specifying capability entries on the command line, they should be of the following format: ``:`` Once you have created a custom user capability, you can assign it to users when adding them to the cluster or to a tenant. You would do this by including the custom capability on the command line when using the Robin CLI to issue a ``robin user add`` or ``robin tenant add-users`` command. Note that if no user capabilities are specified, then one of the role specific default capabilities specified above will be assigned. Strictly speaking, a custom user capability is not the same thing as a custom user role. It can, however, be deployed in such a way as to provide functionality people think of when they think of custom roles. Robin does not allow the creation of custom tenant roles because tenant roles are very specifically focused on controlling a user's **access level** for object types they have permission to access (granted by their assigned user capabilities). For example, a regular user (one who has been assigned the ``user`` role) may have permission to view applications (because they have been assigned the ``ViewApplications`` user capability), but the access level imposed by their role (``user``) prevents them from viewing applications they didn't create (don't own). If you want to prevent a user from viewing all applications, you need to remove those capabilities giving them ``view`` permission on ``APPLICATION`` objects. Accomplishing this may not be as straight forward as you might think. That's because of the loosely hierarchical nature of user capabilities. By design, each user capability includes all of the user capabilities it is dependent on in its providers list (e.g., the ``ManageApplications`` capability includes the ``ViewApplications`` capability). This makes it hard to remove specific permission mappings (the ``ViewApplications`` capability may be imported by multiple user capabilities). This is not an issue with a custom user capability. If there are a desired set of permissions you wish to give to a user (or group of users) then it's just a matter of creating a custom capability and including the permission mappings in the capability entries list. Once created, custom user capabilities can be assigned to users, just like the capabilities provided by Robin. If a custom user capability is assigned to multiple users, then any change to the capability will be reflected in the permissions for each of the assigned user. .. note:: Please refer to the previous section that provides details about user capabilities. When creating a custom user capability, describes what a user capability is. Care should be taken when creating custom user capabilities as they may prevent or impede access to the Robin UI. A user capability group is not specified when creating a custom user capability as they are all assigned to the ``Custom`` capability group. **Object sharing** As was outlined above, Robin RBAC control prevents users from accessing objects they do not have permission to access. For example, a regular user (a user assigned the role of ``user``) will only be able to view and manage objects (applications, snapshots, backups, etc.) they create and own. Other users, even those in the same tenant, will not be able to see the objects, let alone perform any operations on them. There are restrictions on which objects a Tenant Administrator can access as well. Tenant Administrators have permission to view all objects created by all users in their tenant, however they are not able to access objects created by users from other tenants. Cluster Administrators, however, are able to access all objects created by all users in all tenants, but only when they are logged into the Administrators tenant. There are times when it might be desirable to share an object with one or more users in a tenant. It also might be desirable for certain objects to be shared with users in multiple tenants. The Robin platform contains a mechanisim for sharing certain objects with multiple tenants and users. The extent to which a particular object can be shared depends on what type of object it is. For example, it makes sense for bundles or application backups to be shared with users in multiple tenants, because these objects do not contain any context that is bound to a single tenant. The same can not be said for an application, however, which has a context which is bound to a tenant. When sharing certain objects with a tenant, all members of the tenant automatically get full access to the object (e.g., all members of a tenant will be able to create applications from a shared Bundle). For other object types, sharing them with a tenant only allows the object to be shared with tenant users. It's up to a cluster or tenant administrator to provide users with access. Only a Cluster Administrators can share an object with a tenant other than the one it is bound to. Once an object has been shared with a tenant, however, administrators of the tenant can then share the object with members of the tenant (assuming the object supports user sharing). Following are a list of objects that can be shared with tenants: * Bundles * Images * Storage Repos * Docker Registries * Application Backups Following is a list of objects that can be shared with tenant users: * Storage Repos * Applications * Application Backups * Application Snapshots * Namespaces .. note:: By default, when a Cluster Administrator shares an object with a tenant, administrators of the tenant will not be able to share the object with members of their tenant. This, and other capabilities can be extended to all administrators of the tenant when the object is shared. Use the ``robin object-share list-options`` command to output a list of sharable objects, showing which operations can be assigned when sharing with tenants and users. A Tenant Administrator can share all objects bound to (owned by) their tenant with their tenant users without restriction. This includes objects that are sharable across tenants (application backups and storage repos). **User administration** Before a user can begin to use Robin Platform to manage their applications, they need to log into the Robin Platform cluster using the Robin Platform CLI utility. Before they can do that, they need a user account. Robin Platform user accounts are created by the cluster administrator (a user having the superadmin role). The following information needs to be supplied when creating a user account: * username (must be unique within the Robin Platform cluster) * role (``superadmin``, ``tenantadmin``, or ``user``) * initial password Robin Platform will generate a TLS certificate for each user added to the cluster. The certificate includes the user's username. Robin Platform will pass this certificate to the Kubernetes API server any time it makes a call on the user's behalf. Note that role bindings with adequate permissions to manage applications in the user's assigned namespace (bound to the user's Kubernetes username and/or group names) will automatically be created. Before a user can make use of the Robin Platform CLI, they must first authenticate themselves to the Robin Platform cluster. They do this by issuing the following command:: # robin login which prompts the user to enter their password. Upon a successful login, a token is returned that identifies the user, the tenant they are currently logged into, and their current namespace. This token is stashed in the user's home directory, to be used with each successive commands issued by the user. ======================== LDAP user authentication ======================== A Robin user is required to provide their username and password when logging into a Robin cluster. The Robin Server uses this username and password to perform an authentication check. By default, user authentication is performed by Robin directly. For environments where user accounts are maintained on a centralized LDAP server, Robin allows users to be configured so that their authentication is handled by the LDAP server. Robin Platform supports the following LDAP server types: * Active Directory * OpenLDAP ---------------------------------------- Adding an LDAP server to a Robin cluster ---------------------------------------- Before users can be configured for LDAP authentication, the LDAP server needs to be added to the Robin cluster. The following information is required when adding an LDAP server: * **name** -- The name that will identify the LDAP server within the Robin cluster * **hostname** -- The IP address or hostname where the LDAP server is running * **port** -- The port number to use when connecting to the server * **server_type** -- ``OPEN_LDAP`` or ``ACTIVE_DIRECTORY`` * **username** -- The username of an LDAP user that has full access rights * **search_base** -- The search base defines the starting point for the search in the directory tree * **netbios** -- Normally, the netbios is the domainname minus the suffix (e.g., domainname instead of domainname.com). Before adding the LDAP server to a Robin cluster, obtain the NETBIOS from the LDAP server. Note that netbios is only required when server_type is ACTIVE_DIRECTORY. The following example shows how an Active Directory LDAP server is added to a Robin cluster: .. code-block:: text # robin ldap add-server ad1 10.9.53.5 389 ACTIVE_DIRECTORY administrator mydomain.com --netbios mydomain .. Note:: * An LDAP Directory Tree can be structured in multiple ways, which can effect where users and groups are located. Robin provides options for specifying the global search base, as well as search bases for users and groups, when adding an LDAP server. Additionally, each of the RobinLDAP commands allows for a custom search base to be specified. * In addition, the names of attribues in user and group entries can differ, depending on the type of LDAP server (``ACTIVE_DIRECTORY`` or ``OPEN_LDAP``) and how it's configured. Robin provides CLI commands for listing and updating the attribute names used internally when accessing a user's username, first and last name, email address, or when accessing group members, etc. ------------------------------------- Adding users with LDAP authentication ------------------------------------- When adding a user to a Robin cluster, the user can be configured so that authentication checks go through an external LDAP server. When using the Robin CLI to add the user, include the ``--ldap`` and ``--ldap-server `` flags on the command line. The command to add a user should look something like this: .. code-block:: text # robin user add user1 tenant1 user --ldap --ldap-server ldap1 .. Note:: If the user's LDAP username contains characters that are not allowed in a Robin cluster (valid characters include ``a-z``, ``A-Z``, ``0-9``, ``.``, ``-``, and ``_``) , then the user's distinguished name (DN) should be specified. When the user logs into the Robin cluster, their DN will be sent to the LDAP server for validation instead of their username. ------------------------ Searching for LDAP users ------------------------ The Robin CLI includes commands to get a listing of users and user groups from an LDAP server. The users returned from these queries can then be imported into the Robin cluster. When importing an LDAP user, an account for the user will be created in the Robin cluster. .. code-block:: text # robin ldap list-users ldap1 Username | Email Address | User Principal Name | Object SID ---------+---------------+---------------------+-------------------------------------- user1 | None | None | 050ce4de-2f64-1033-8989-a53eb149a944 user2 | None | None | 29f6dc28-2f64-1033-898b-a53eb149a944 .. Note:: * There is no direct link between a user's account in a Robin cluster and their account on the LDAP server. other than as a means for authenticating the user during login. * On a very large installation, user queries can take a long time when sending the request to an LDAP server with a large directory. -------------------- Importing LDAP users -------------------- Importing an LDAP user is similar to adding a Robin user. The tenant the user will be added to and their role in that tenant must be specified. When importing an LDAP user, a validation check will be performed, to ensure the user exists in the server's directory. .. code-block:: text # robin ldap import-users ldap1 user1 tenant1 user ---------------------------------- Importing members of an LDAP group ---------------------------------- All members of an LDAP group can be imported in a single operation. Note that all users will be added to the same tenant with the same tenant role and (optionally) custom user capabilities. Key user attributes, such as full name, email address, etc. will be imported along with the user's username. .. code-block:: text # robin ldap import-group ldap1 ldap_group tenant1 user ============================= OpenShift user authentication ============================= ----------------------- Listing OpenShift users ----------------------- .. tabs:: .. tab:: CLI The Robin CLI includes commands to get a listing of users and user groups from an OpenShift cluster. The users returned from these queries can then be imported into the Robin cluster. When importing an OpenShift user, an account for the user will be created in the Robin cluster. .. code-block:: text # robin openshift list-users [users] =========================== ========================================================= ``users`` Comma separated list of OpenShift users. If no users are provided then all OpenShift users will be displayed. =========================== ========================================================= **Example:** .. code-block:: text # robin openshift list-users Username | UID | Groups ---------+--------------------------------------+------------- admin1 | ee29177c-b48b-42a9-b63c-e9cce6935219 | robin-users admin2 | d613991f-1975-4225-8d67-2f23aac05215 | robin-users robin | 881fdd9d-9270-4d1b-a853-ec767b3793cc | robin-users user1 | 678a46ce-2c32-44ce-a88c-ca084d29c60c | robin-users user2 | c9ba0e73-b90a-4285-86b6-479e3ddb91ed | robin-users user3 | 883c0d99-0c4d-4f89-a7ac-79da198e9229 | robin-users user4 | dee5d68c-ce27-4500-afdc-21d730fe7d23 | robin-users user5 | e2660780-2a91-44a6-87c1-f9f30724c7de | robin-users .. note:: This command is only supported when Robin is deployed on an OpenShift cluster. There is no direct link between a user's account in a Robin cluster and their account on an OpenShift cluster, other than as a means for authenticating the user during login to Robin. ------------------------------------------ Adding users with OpenShift authentication ------------------------------------------ When adding a user when Robin is deployed on an OpenShift cluster, the user can be configured so that authentication checks go to OpenShift for authentication. When using the Robin CLI to add the user, include the ``--openshift`` flag on the command line. A command to add a Robin user with OpenShift authentication will look something like this: .. code-block:: text # robin user add user1 tenant1 user --openshift For more details on the options available for the ``robin user add`` command and an example of its usage, review the section detailed `here `_. .. note:: This operation is only supported when Robin is deployed on an OpenShift cluster. ------------------------- Importing OpenShift users ------------------------- .. tabs:: .. tab:: CLI Importing an OpenShift user is similar to adding a Robin user. The tenant the user will be added to and their role in that tenant must be specified. When importing an OpenShift user, a validation check will be performed, to ensure the user exists in the cluster. .. code-block:: text # robin openshift import-users users tenant tenant_role [user_capabilities] =========================== ========================================================= ``users`` Comma separated list of OpenShift users to import ``tenant`` Tenant that all imported users will be made a member of ``tenant_role`` User role for the tenant assigned to each imported user ``user_capabilities`` Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no user_capabilities are specified, then full capabilities for the specified role will be assigned. If it's desired that no capabilities be granted to the user then specify 'NoCapabilities' on the command line =========================== ========================================================= .. note:: To view a list of all user capabilities review the section detailed `here `_. **Example:** .. code-block:: text # robin openshift import-users admin1 t1 tenantadmin Successfully added one user: admin1 # robin user list admin1 ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication ---+----------+-----------+-------+---------+----------------+--------------+-------------------+---------------- 4 | admin1 | | | t1 | t1 | tenantadmin | t002-u000004 | openshift .. note:: This command is only supported when Robin is deployed on an OpenShift cluster. ------------------------ Listing OpenShift groups ------------------------ .. tabs:: .. tab:: CLI Users from OpenShift groups can be imported into a Robin cluster. Use the following command to search for OpenShift groups and view group members: .. code-block:: text # robin openshift list-groups [groups] =========================== ========================================================= ``groups`` Comma separated list of OpenShift group names. If no group names are provided then all OpenShift groups will be displayed (note that a listing of all groups can take a long time to finish). =========================== ========================================================= **Example:** .. code-block:: text # robin openshift list-groups Name | UID | Users ------------+--------------------------------------+--------------------------------------------------- robin-users | abc53d88-ca7f-4634-b70f-7f51d538d9e4 | robin,user1,user2,user3,user4,user5,admin1,admin2 .. note:: This command is only supported when Robin is deployed on an OpenShift cluster. --------------------------------------- Importing members of an OpenShift group --------------------------------------- .. tabs:: .. tab:: CLI All members of an OpenShift group can be imported into a Robin cluster with a single operation. Note that all users will be added to the same tenant with the same tenant role and (optionally) custom user capabilities. Key user attributes, such as the user's full name will be imported along with the user's username. Issue the following command to import one or more members of an OpenShift group: .. code-block:: text # robin openshift import-group tenant tenant_role [user_capabilities] --exclude-users EXCLUDE_USERS ================================= ========================================================= ``group`` Name of the OpenShift group to import users from ``tenant`` Tenant that all imported users will be made a member of ``tenant_role`` User role for the tenant assigned to each imported user ``user_capabilities`` Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no user_capabilities are specified, then full capabilities for the specified role will be assigned. If it's desired that no capabilities be granted to the user then specify 'NoCapabilities' on the command line ``--exclude-users EXCLUDE_USERS`` Comma separated list of users to exclude from importation ================================= ========================================================= .. note:: To view a list of all user capabilities review the section detailed `here `_. **Example:** .. code-block:: text # robin openshift import-group robin-users t2 user --exclude-users robin,admin1,admin2,user1,user2 Imported OpenShift users: 'user3, user4, user5' # robin user list ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication ---+----------+---------------+-------+----------------+----------------+--------------+-------------------+---------------- 3 | admin | Robin Systems | | Administrators | Administrators | superadmin | t001-u000003 | local 4 | admin1 | | | t1 | t1 | tenantadmin | t002-u000004 | openshift 5 | user3 | | | t2 | t2 | user | t003-u000005 | openshift 6 | user4 | | | t2 | t2 | user | t003-u000006 | openshift 7 | user5 | | | t2 | t2 | user | t003-u000007 | openshift .. note:: This command is only supported when Robin is deployed on an OpenShift cluster. It may not be practical to use this command to add users from an OpenShift group to a Robin cluster. If the users in the group will be assigned to multiple tenants and have different roles. It might make more sense to use the ``robin openshift add-users`` command to add the users in bunches. ============================ User capabilities operations ============================ ---------------------- List user capabilities ---------------------- .. tabs:: .. tab:: CLI List user capabilities that can be assigned to users based on their tenant role: .. code-block:: text # robin capabilities list [names] --group --all --full ============================== ========================================================= ``names`` Comma separated list of user capabilities to list ``--group `` User capability group ``--all`` Show all user capabilities (including hidden ones). Note that hidden capabilities will be returned if specified on the command line. ``--full`` Show additional information about each user capability ============================== ========================================================= **Example 1 (List non-hidden user capabilities):** .. code-block:: text # robin capabilities list Group | Name | Hidden | Description ---------------+-----------------------------+--------+------------------------------------------------------------ Application | ManageApplications | False | Manage Applications Application | ShareApplications | False | Share Application Backups Application | CreateApplications | False | Create Applications Application | SnapshotApplications | False | Snapshot Applications Application | UseNamespaces | False | Use Namespaces Application | ManageNamespaces | False | Manage Namespaces Application | ShareNamespaces | False | Share Namespaces with other tenant users Application | CreateBackups | False | Create Application Backups Application | DeleteBackups | False | Delete Application Backups Application | ImportBackups | False | Import Application Backups Application | ExportBackups | False | Export Application Backups Application | PurgeBackups | False | Purge Application Backups from Storage Repo Application | TenantShareBackups | False | Share Application Backups with tenants Application | UserShareBackups | False | Share Application Backups with tenant users Application | BackupApplications | False | Backup Applications Application | CloneApplications | False | Clone Applications Application | DeleteApplications | False | Delete Applications Application | CreatePrivelegedApps | False | Create Privileged Applications Infrastructure | ViewSystem | False | View system attributes Infrastructure | ManageSystem | False | Manage system attributes Infrastructure | ManageApplicationResources | False | Manage Application resources Application | ManageK8sApplications | False | Manage k8s Applications Application | ShareK8sApplications | False | Share Application Backups Application | ManageK8sBackups | False | Manage K8s Application Backups Application | CreateImages | False | Create Application Images Application | CreateBundles | False | Create Application Bundles Application | ManageInstances | False | Manage Application Instances Application | ManageVolumes | False | Manage Storage Volumes Application | ManageDocker | False | Manage Docker Registries Infrastructure | ManageNetworking | False | Manage Networking Infrastructure | ManageResourcePools | False | Manage Resource Pools Infrastructure | ManageTags | False | Manage Tags Infrastructure | ManageResourceGroups | False | Manage Resource groups Infrastructure | ManageConfig | False | Manage Configuration Information Infrastructure | AccessConsole | False | Access a physical node's console Infrastructure | AccessDashboard | False | Access a cluster's dashboard Infrastructure | ManageLogCollections | False | Manage Log Collection Information Infrastructure | ManageFileCollections | False | Manage File Collection Information Infrastructure | ManageNodes | False | Manage Physical Nodes Infrastructure | ManageEvents | False | Manage System Events and Alerts Infrastructure | ManageJobs | False | Manage Jobs Infrastructure | ManageZones | False | Manage Zones Infrastructure | ManageWorkflow | False | Manage Workflows Infrastructure | CreateStorageRepos | False | Create Storage Repos Infrastructure | UseStorageRepos | False | Use Storage Repos Infrastructure | ManageStorageRepos | False | Manage Storage Repos Application | TenantShareRepos | False | Share Storage Repos with tenants Application | UserShareRepos | False | Share Storage Repos with tenant users Infrastructure | ManageNFSExports | False | Manage NFS exports Infrastructure | GenerateReports | False | Generate reports Infrastructure | ShareObjectsWithTenants | False | Share various objects with tenants Infrastructure | ChangeOwner | False | Change the owner for various objects Infrastructure | ManageTenantResources | False | Manage Tenants, Tenant users and their properties User | ManageUsers | False | Manage Users and their properties User | UpdateUserRole | False | Update roles for users User | UpdateTenants | False | Update Tenants, Tenant users and their properties User | ManageTenants | False | Manage Tenants, Tenant users and their properties User | ManageUserCapabilities | False | Manage User Capabilities and their properties User | CreateUserCapabilities | False | Create, Update, and Delete User Capabilities User | ManageTiller | False | Manage Tiller objects User | ManageDirectoryServices | False | Manage LDAP/Active Directory services and their properties User | ManageOpenShift | False | Manage OpenShift users/groups and their properties User | ManageUserAudit | False | Manage user audit properties Infrastructure | ManageK8s | False | Manage Kubernetes resources Infrastructure | ManageK8sUsers | False | Manage Kubernetes resources Administration | AllSuperAdminCapabilities | False | All Super Admin Capabilities Administration | AllUserCapabilities | False | All User Capabilities Administration | AllClusterUserCapabilities | False | All Cluster User Capabilities Administration | AllClusterAdminCapabilities | False | All Cluster Admin Capabilities Administration | AllTenantAdminCapabilities | False | All Tenant Admin Capabilities **Example 2 (List all user capabilities in a capability group):** .. code-block:: text # robin capabilities list --group User Group | Name | Hidden | Description ------+-------------------------+--------+------------------------------------------------------------ User | ViewUsers | True | View Users and their properties User | ManageUsers | False | Manage Users and their properties User | ViewUserAuth | True | View user auth information User | UpdateUserRole | False | Update roles for users User | ViewTenants | True | View Tenants and their properties User | UpdateTenants | False | Update Tenants, Tenant users and their properties User | ManageTenants | False | Manage Tenants, Tenant users and their properties User | ViewUserCapabilities | True | View User Capabilities and their properties User | ManageUserCapabilities | False | Manage User Capabilities and their properties User | CreateUserCapabilities | False | Create, Update, and Delete User Capabilities User | ViewTiller | True | View Tiller objects User | ManageTiller | False | Manage Tiller objects User | ViewDirectoryServices | True | View LDAP/Active Directory services and their properties User | ManageDirectoryServices | False | Manage LDAP/Active Directory services and their properties User | ViewOpenShift | True | View OpenShift users/groups and their properties User | ManageOpenShift | False | Manage OpenShift users/groups and their properties User | ViewUserAudit | True | View user audit properties User | ManageUserAudit | False | Manage user audit properties User | ViewK8sUserAuth | True | View Kubernetes user context information **Example 3 (Show details for a single user capability):** .. code-block:: text # robin capabilities list --full ManageApplications Group | Name | Hidden | Description ------------+--------------------+--------+--------------------- Application | ManageApplications | False | Manage Applications Tenant Roles: superadmin tenantadmin user Providers: ViewApplications ViewBackups ViewInstances ManageInstances ViewDocker ViewTags ViewResourcePools ViewBundles ViewImages ViewConfig ViewEvents ViewNetworking ViewNodes ViewJobs ViewZones ViewStorageArray ViewNFSExports Capability Entries: APPLICATION add_repo APPLICATION addkey APPLICATION addtrigger APPLICATION addvol APPLICATION computeqos APPLICATION config APPLICATION deltrigger APPLICATION delvol APPLICATION expandvol APPLICATION hydrate APPLICATION moveresources APPLICATION probe APPLICATION redeploy APPLICATION register APPLICATION remove_repo APPLICATION restart APPLICATION rollback APPLICATION run_hook APPLICATION scale APPLICATION setreslimits APPLICATION start APPLICATION stop APPLICATION storageqos APPLICATION unregister APPLICATION update APPLICATION update_hpa APPLICATION upgrade SNAPSHOT update .. tab:: API Returns a list of user capabilities that can be assigned to users based on their tenant role:. **End Point:** /api/v3/robin_server/user-capabilities **Method:** GET **URL Parameters:** None **Data Parameters:** - ``all_capabilities: true`` - Utilizing this parameter within the payload results in all user capabilities including hidden ones being returned. - ``capability_group: `` - Utilizing this parameter within the payload by specifying a valid group name results in only capabilities within that group being returned. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "capability_group":"Application", "id":3, "description":"Manage Applications", "providers":[ "ViewApplications", "ViewBackups", "ViewInstances", "ManageInstances", "ViewDocker", "ViewTags", "ViewResourcePools", "ViewBundles", "ViewImages", "ViewConfig", "ViewEvents", "ViewNetworking", "ViewNodes", "ViewJobs", "ViewZones", "ViewStorageArray", "ViewNFSExports" ], "hidden":false, "name":"ManageApplications", "capability_entries":[ { "operation":"add_repo", "object_type":"APPLICATION" }, { "operation":"addkey", "object_type":"APPLICATION" }, { "operation":"addtrigger", "object_type":"APPLICATION" }, { "operation":"addvol", "object_type":"APPLICATION" }, { "operation":"computeqos", "object_type":"APPLICATION" }, { "operation":"config", "object_type":"APPLICATION" }, { "operation":"deltrigger", "object_type":"APPLICATION" }, { "operation":"delvol", "object_type":"APPLICATION" }, { "operation":"expandvol", "object_type":"APPLICATION" }, { "operation":"hydrate", "object_type":"APPLICATION" }, { "operation":"moveresources", "object_type":"APPLICATION" }, { "operation":"probe", "object_type":"APPLICATION" }, { "operation":"redeploy", "object_type":"APPLICATION" }, { "operation":"register", "object_type":"APPLICATION" }, { "operation":"remove_repo", "object_type":"APPLICATION" }, { "operation":"restart", "object_type":"APPLICATION" }, { "operation":"rollback", "object_type":"APPLICATION" }, { "operation":"run_hook", "object_type":"APPLICATION" }, { "operation":"scale", "object_type":"APPLICATION" }, { "operation":"setreslimits", "object_type":"APPLICATION" }, { "operation":"start", "object_type":"APPLICATION" }, { "operation":"stop", "object_type":"APPLICATION" }, { "operation":"storageqos", "object_type":"APPLICATION" }, { "operation":"unregister", "object_type":"APPLICATION" }, { "operation":"update", "object_type":"APPLICATION" }, { "operation":"update_hpa", "object_type":"APPLICATION" }, { "operation":"upgrade", "object_type":"APPLICATION" }, { "operation":"update", "object_type":"SNAPSHOT" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":4, "description":"Share Application Backups", "providers":[ "ViewApplications", "ViewK8sApplications" ], "hidden":false, "name":"ShareApplications", "capability_entries":[ { "operation":"share", "object_type":"APPLICATION" }, { "operation":"unshare", "object_type":"APPLICATION" }, { "operation":"share", "object_type":"K8S_APPLICATION" }, { "operation":"unshare", "object_type":"K8S_APPLICATION" }, { "operation":"share", "object_type":"SNAPSHOT" }, { "operation":"unshare", "object_type":"SNAPSHOT" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":5, "description":"Create Applications", "providers":[ "ManageApplications" ], "hidden":false, "name":"CreateApplications", "capability_entries":[ { "operation":"create", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":6, "description":"Snapshot Applications", "providers":[ "ViewApplications" ], "hidden":false, "name":"SnapshotApplications", "capability_entries":[ { "operation":"setsnapback", "object_type":"APPLICATION" }, { "operation":"snapshot", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":8, "description":"Use Namespaces", "providers":[ ], "hidden":false, "name":"UseNamespaces", "capability_entries":[ { "operation":"deploy_app", "object_type":"NAMESPACE" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":9, "description":"Manage Namespaces", "providers":[ "ViewNamespaces" ], "hidden":false, "name":"ManageNamespaces", "capability_entries":[ { "operation":"create", "object_type":"NAMESPACE" }, { "operation":"delete", "object_type":"NAMESPACE" }, { "operation":"update", "object_type":"NAMESPACE" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":10, "description":"Share Namespaces with other tenant users", "providers":[ "ViewNamespaces" ], "hidden":false, "name":"ShareNamespaces", "capability_entries":[ { "operation":"user_share", "object_type":"NAMESPACE" }, { "operation":"user_unshare", "object_type":"NAMESPACE" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":12, "description":"Create Application Backups", "providers":[ "ViewBackups" ], "hidden":false, "name":"CreateBackups", "capability_entries":[ { "operation":"create", "object_type":"BACKUP" }, { "operation":"update", "object_type":"BACKUP" }, { "operation":"create", "object_type":"K8S_BACKUP" }, { "operation":"update", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":13, "description":"Delete Application Backups", "providers":[ "ViewBackups" ], "hidden":false, "name":"DeleteBackups", "capability_entries":[ { "operation":"delete", "object_type":"BACKUP" }, { "operation":"delete", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":14, "description":"Import Application Backups", "providers":[ "ViewBackups" ], "hidden":false, "name":"ImportBackups", "capability_entries":[ { "operation":"import", "object_type":"BACKUP" }, { "operation":"import", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":15, "description":"Export Application Backups", "providers":[ "ViewBackups" ], "hidden":false, "name":"ExportBackups", "capability_entries":[ { "operation":"export", "object_type":"BACKUP" }, { "operation":"export", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":16, "description":"Purge Application Backups from Storage Repo", "providers":[ "ViewBackups" ], "hidden":false, "name":"PurgeBackups", "capability_entries":[ { "operation":"purge", "object_type":"BACKUP" }, { "operation":"purge", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":17, "description":"Share Application Backups with tenants", "providers":[ "ViewBackups" ], "hidden":false, "name":"TenantShareBackups", "capability_entries":[ { "operation":"tenant_share", "object_type":"BACKUP" }, { "operation":"tenant_unshare", "object_type":"BACKUP" }, { "operation":"tenant_share", "object_type":"K8S_BACKUP" }, { "operation":"tenant_unshare", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Application", "id":18, "description":"Share Application Backups with tenant users", "providers":[ "ViewBackups" ], "hidden":false, "name":"UserShareBackups", "capability_entries":[ { "operation":"user_share", "object_type":"BACKUP" }, { "operation":"user_unshare", "object_type":"BACKUP" }, { "operation":"user_share", "object_type":"K8S_BACKUP" }, { "operation":"user_unshare", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":19, "description":"Backup Applications", "providers":[ "ViewApplications" ], "hidden":false, "name":"BackupApplications", "capability_entries":[ { "operation":"backup", "object_type":"APPLICATION" }, { "operation":"delete_backup", "object_type":"APPLICATION" }, { "operation":"restore", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":20, "description":"Clone Applications", "providers":[ "ManageApplications" ], "hidden":false, "name":"CloneApplications", "capability_entries":[ { "operation":"clone", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":21, "description":"Delete Applications", "providers":[ "ManageApplications" ], "hidden":false, "name":"DeleteApplications", "capability_entries":[ { "operation":"delete", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":22, "description":"Create Privileged Applications", "providers":[ ], "hidden":false, "name":"CreatePrivelegedApps", "capability_entries":[ { "operation":"create", "object_type":"PRIVILEGED_APP" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Infrastructure", "id":23, "description":"View system attributes", "providers":[ ], "hidden":false, "name":"ViewSystem", "capability_entries":[ { "operation":"view", "object_type":"METRICS" }, { "operation":"view", "object_type":"SYSTEM" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Infrastructure", "id":24, "description":"Manage system attributes", "providers":[ ], "hidden":false, "name":"ManageSystem", "capability_entries":[ { "operation":"create", "object_type":"SYSTEM" }, { "operation":"update", "object_type":"SYSTEM" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":25, "description":"Manage Application resources", "providers":[ ], "hidden":false, "name":"ManageApplicationResources", "capability_entries":[ { "operation":"snapshot_limits", "object_type":"APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":27, "description":"Manage k8s Applications", "providers":[ "ViewK8sApplications" ], "hidden":false, "name":"ManageK8sApplications", "capability_entries":[ { "operation":"add_repo", "object_type":"K8S_APPLICATION" }, { "operation":"backup", "object_type":"K8S_APPLICATION" }, { "operation":"clone", "object_type":"K8S_APPLICATION" }, { "operation":"config", "object_type":"K8S_APPLICATION" }, { "operation":"create", "object_type":"K8S_APPLICATION" }, { "operation":"delete", "object_type":"K8S_APPLICATION" }, { "operation":"hydrate", "object_type":"K8S_APPLICATION" }, { "operation":"probe", "object_type":"K8S_APPLICATION" }, { "operation":"register", "object_type":"K8S_APPLICATION" }, { "operation":"remove_repo", "object_type":"K8S_APPLICATION" }, { "operation":"restart", "object_type":"K8S_APPLICATION" }, { "operation":"restore", "object_type":"K8S_APPLICATION" }, { "operation":"rollback", "object_type":"K8S_APPLICATION" }, { "operation":"scale", "object_type":"K8S_APPLICATION" }, { "operation":"setsnapback", "object_type":"K8S_APPLICATION" }, { "operation":"snapshot", "object_type":"K8S_APPLICATION" }, { "operation":"start", "object_type":"K8S_APPLICATION" }, { "operation":"stop", "object_type":"K8S_APPLICATION" }, { "operation":"unregister", "object_type":"K8S_APPLICATION" }, { "operation":"update", "object_type":"K8S_APPLICATION" }, { "operation":"view", "object_type":"K8S_APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":28, "description":"Share Application Backups", "providers":[ "ViewApplications", "ViewK8sApplications" ], "hidden":false, "name":"ShareK8sApplications", "capability_entries":[ { "operation":"share", "object_type":"K8S_APPLICATION" }, { "operation":"unshare", "object_type":"K8S_APPLICATION" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Application", "id":30, "description":"Manage K8s Application Backups", "providers":[ "ViewK8sBackups" ], "hidden":false, "name":"ManageK8sBackups", "capability_entries":[ { "operation":"create", "object_type":"K8S_BACKUP" }, { "operation":"delete", "object_type":"K8S_BACKUP" }, { "operation":"share", "object_type":"K8S_BACKUP" }, { "operation":"tenant_share", "object_type":"K8S_BACKUP" }, { "operation":"tenant_unshare", "object_type":"K8S_BACKUP" }, { "operation":"unshare", "object_type":"K8S_BACKUP" }, { "operation":"update", "object_type":"K8S_BACKUP" }, { "operation":"user_share", "object_type":"K8S_BACKUP" }, { "operation":"user_unshare", "object_type":"K8S_BACKUP" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Application", "id":32, "description":"Create Application Images", "providers":[ "ViewImages" ], "hidden":false, "name":"CreateImages", "capability_entries":[ { "operation":"create", "object_type":"IMAGE" }, { "operation":"delete", "object_type":"IMAGE" }, { "operation":"rename", "object_type":"IMAGE" }, { "operation":"update", "object_type":"IMAGE" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":34, "description":"Create Application Bundles", "providers":[ "ViewImages", "ViewBundles" ], "hidden":false, "name":"CreateBundles", "capability_entries":[ { "operation":"create", "object_type":"BUNDLE" }, { "operation":"delete", "object_type":"BUNDLE" }, { "operation":"rename", "object_type":"BUNDLE" }, { "operation":"update", "object_type":"BUNDLE" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":36, "description":"Manage Application Instances", "providers":[ "ViewInstances" ], "hidden":false, "name":"ManageInstances", "capability_entries":[ { "operation":"manage_instances", "object_type":"APPLICATION" }, { "operation":"addvol", "object_type":"INSTANCE" }, { "operation":"computeqos", "object_type":"INSTANCE" }, { "operation":"delete", "object_type":"INSTANCE" }, { "operation":"relocate", "object_type":"INSTANCE" }, { "operation":"repair", "object_type":"INSTANCE" }, { "operation":"restart", "object_type":"INSTANCE" }, { "operation":"setstate", "object_type":"INSTANCE" }, { "operation":"start", "object_type":"INSTANCE" }, { "operation":"stop", "object_type":"INSTANCE" }, { "operation":"update", "object_type":"INSTANCE" }, { "operation":"upgrade", "object_type":"INSTANCE" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":38, "description":"Manage Storage Volumes", "providers":[ "ViewVolumes" ], "hidden":false, "name":"ManageVolumes", "capability_entries":[ { "operation":"create", "object_type":"VOLUME" }, { "operation":"delete", "object_type":"VOLUME" }, { "operation":"update", "object_type":"VOLUME" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Application", "id":40, "description":"Manage Docker Registries", "providers":[ "ViewDocker" ], "hidden":false, "name":"ManageDocker", "capability_entries":[ { "operation":"create", "object_type":"DOCKER_REGISTRY" }, { "operation":"delete", "object_type":"DOCKER_REGISTRY" }, { "operation":"update", "object_type":"DOCKER_REGISTRY" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":42, "description":"Manage Networking", "providers":[ "ViewNetworking" ], "hidden":false, "name":"ManageNetworking", "capability_entries":[ { "operation":"create", "object_type":"IPPOOL" }, { "operation":"delete", "object_type":"IPPOOL" }, { "operation":"update", "object_type":"IPPOOL" }, { "operation":"create", "object_type":"VLAN" }, { "operation":"delete", "object_type":"VLAN" }, { "operation":"update", "object_type":"VLAN" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":44, "description":"Manage Resource Pools", "providers":[ "ViewResourcePools" ], "hidden":false, "name":"ManageResourcePools", "capability_entries":[ { "operation":"create", "object_type":"RESOURCEPOOL" }, { "operation":"delete", "object_type":"RESOURCEPOOL" }, { "operation":"update", "object_type":"RESOURCEPOOL" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":46, "description":"Manage Tags", "providers":[ "ViewTags" ], "hidden":false, "name":"ManageTags", "capability_entries":[ { "operation":"create", "object_type":"TAG" }, { "operation":"delete", "object_type":"TAG" }, { "operation":"update", "object_type":"TAG" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":48, "description":"Manage Resource groups", "providers":[ "ViewResourceGroups" ], "hidden":false, "name":"ManageResourceGroups", "capability_entries":[ { "operation":"create", "object_type":"RESOURCE_GROUP" }, { "operation":"delete", "object_type":"RESOURCE_GROUP" }, { "operation":"update", "object_type":"RESOURCE_GROUP" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":51, "description":"Manage Configuration Information", "providers":[ "ViewConfig" ], "hidden":false, "name":"ManageConfig", "capability_entries":[ { "operation":"update", "object_type":"CONFIG" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":52, "description":"Access a physical node's console", "providers":[ "ViewNodes" ], "hidden":false, "name":"AccessConsole", "capability_entries":[ { "operation":"view", "object_type":"CONSOLE" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":53, "description":"Access a cluster's dashboard", "providers":[ "ViewApplications", "ViewBackups", "ViewConfig", "ViewNodes", "ViewEvents" ], "hidden":false, "name":"AccessDashboard", "capability_entries":[ { "operation":"view", "object_type":"DASHBOARD" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":55, "description":"Manage Log Collection Information", "providers":[ "ViewLogCollections", "ViewJobs" ], "hidden":false, "name":"ManageLogCollections", "capability_entries":[ { "operation":"create", "object_type":"LOG_COLLECT" }, { "operation":"delete", "object_type":"LOG_COLLECT" }, { "operation":"update", "object_type":"LOG_COLLECT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":57, "description":"Manage File Collection Information", "providers":[ "ViewFileCollections" ], "hidden":false, "name":"ManageFileCollections", "capability_entries":[ { "operation":"create", "object_type":"FILE_COLLECTION" }, { "operation":"delete", "object_type":"FILE_COLLECTION" }, { "operation":"update", "object_type":"FILE_COLLECTION" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":59, "description":"Manage Physical Nodes", "providers":[ "ViewApplications", "ViewNodes" ], "hidden":false, "name":"ManageNodes", "capability_entries":[ { "operation":"create", "object_type":"NODE" }, { "operation":"delete", "object_type":"NODE" }, { "operation":"pruneimage", "object_type":"NODE" }, { "operation":"update", "object_type":"NODE" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":61, "description":"Manage System Events and Alerts", "providers":[ "ViewEvents" ], "hidden":false, "name":"ManageEvents", "capability_entries":[ { "operation":"create", "object_type":"EVENT" }, { "operation":"delete", "object_type":"EVENT" }, { "operation":"update", "object_type":"EVENT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":63, "description":"Manage Jobs", "providers":[ "ViewJobs" ], "hidden":false, "name":"ManageJobs", "capability_entries":[ { "operation":"delete", "object_type":"JOB" }, { "operation":"update", "object_type":"JOB" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":65, "description":"Manage Zones", "providers":[ "ViewZones" ], "hidden":false, "name":"ManageZones", "capability_entries":[ { "operation":"create", "object_type":"ZONE" }, { "operation":"delete", "object_type":"ZONE" }, { "operation":"update", "object_type":"ZONE" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":67, "description":"Manage Workflows", "providers":[ "ViewWorkflow" ], "hidden":false, "name":"ManageWorkflow", "capability_entries":[ { "operation":"create", "object_type":"WORKFLOW" }, { "operation":"delete", "object_type":"WORKFLOW" }, { "operation":"update", "object_type":"WORKFLOW" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":71, "description":"Create Storage Repos", "providers":[ "ViewStorageRepos" ], "hidden":false, "name":"CreateStorageRepos", "capability_entries":[ { "operation":"create", "object_type":"REPO_CATALOG" }, { "operation":"delete", "object_type":"REPO_CATALOG" }, { "operation":"create", "object_type":"STORAGE_REPO" }, { "operation":"delete", "object_type":"STORAGE_REPO" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Infrastructure", "id":72, "description":"Use Storage Repos", "providers":[ "ViewStorageRepos" ], "hidden":false, "name":"UseStorageRepos", "capability_entries":[ { "operation":"push", "object_type":"STORAGE_REPO" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Infrastructure", "id":73, "description":"Manage Storage Repos", "providers":[ "ViewStorageRepos", "UseStorageRepos" ], "hidden":false, "name":"ManageStorageRepos", "capability_entries":[ { "operation":"update", "object_type":"REPO_CATALOG" }, { "operation":"purge", "object_type":"STORAGE_REPO" }, { "operation":"reclaim", "object_type":"STORAGE_REPO" }, { "operation":"scan", "object_type":"STORAGE_REPO" }, { "operation":"update", "object_type":"STORAGE_REPO" } ], "tenant_roles":[ "superadmin", "tenantadmin", "user" ] }, { "capability_group":"Application", "id":74, "description":"Share Storage Repos with tenants", "providers":[ "ViewStorageRepos", "UseStorageRepos" ], "hidden":false, "name":"TenantShareRepos", "capability_entries":[ { "operation":"tenant_share", "object_type":"STORAGE_REPO" }, { "operation":"tenant_unshare", "object_type":"STORAGE_REPO" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Application", "id":75, "description":"Share Storage Repos with tenant users", "providers":[ "ViewStorageRepos", "UseStorageRepos" ], "hidden":false, "name":"UserShareRepos", "capability_entries":[ { "operation":"user_share", "object_type":"STORAGE_REPO" }, { "operation":"user_unshare", "object_type":"STORAGE_REPO" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":77, "description":"Manage NFS exports", "providers":[ "ViewNFSExports" ], "hidden":false, "name":"ManageNFSExports", "capability_entries":[ { "operation":"create", "object_type":"NFS_EXPORTS" }, { "operation":"delete", "object_type":"NFS_EXPORTS" }, { "operation":"update", "object_type":"NFS_EXPORTS" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":78, "description":"Generate reports", "providers":[ ], "hidden":false, "name":"GenerateReports", "capability_entries":[ { "operation":"view", "object_type":"REPORT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":79, "description":"Share various objects with tenants", "providers":[ ], "hidden":false, "name":"ShareObjectsWithTenants", "capability_entries":[ { "operation":"tenant_share", "object_type":"BUNDLE" }, { "operation":"tenant_share", "object_type":"DOCKER_REGISTRY" }, { "operation":"tenant_share", "object_type":"IMAGE" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":80, "description":"Change the owner for various objects", "providers":[ ], "hidden":false, "name":"ChangeOwner", "capability_entries":[ { "operation":"change_owner", "object_type":"APPLICATION" }, { "operation":"change_owner", "object_type":"BUNDLE" }, { "operation":"change_owner", "object_type":"DOCKER_REGISTRY" }, { "operation":"change_owner", "object_type":"IMAGE" }, { "operation":"change_owner", "object_type":"INSTANCE" }, { "operation":"change_owner", "object_type":"K8S_APPLICATION" }, { "operation":"change_owner", "object_type":"NAMESPACE" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"Infrastructure", "id":81, "description":"Manage Tenants, Tenant users and their properties", "providers":[ ], "hidden":false, "name":"ManageTenantResources", "capability_entries":[ { "operation":"manage_resources", "object_type":"TENANT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":83, "description":"Manage Users and their properties", "providers":[ "ViewUsers", "ManageUserCapabilities" ], "hidden":false, "name":"ManageUsers", "capability_entries":[ { "operation":"create", "object_type":"USER" }, { "operation":"delete", "object_type":"USER" }, { "operation":"update", "object_type":"USER" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":85, "description":"Update roles for users", "providers":[ ], "hidden":false, "name":"UpdateUserRole", "capability_entries":[ { "operation":"update_role", "object_type":"USER" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"User", "id":87, "description":"Update Tenants, Tenant users and their properties", "providers":[ "ViewUsers", "ViewTenants" ], "hidden":false, "name":"UpdateTenants", "capability_entries":[ { "operation":"update", "object_type":"TENANT" } ], "tenant_roles":[ "tenantadmin" ] }, { "capability_group":"User", "id":88, "description":"Manage Tenants, Tenant users and their properties", "providers":[ "ViewUsers", "ViewTenants" ], "hidden":false, "name":"ManageTenants", "capability_entries":[ { "operation":"add_users", "object_type":"TENANT" }, { "operation":"create", "object_type":"TENANT" }, { "operation":"delete", "object_type":"TENANT" }, { "operation":"update", "object_type":"TENANT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":90, "description":"Manage User Capabilities and their properties", "providers":[ "ViewUserCapabilities" ], "hidden":false, "name":"ManageUserCapabilities", "capability_entries":[ ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"User", "id":91, "description":"Create, Update, and Delete User Capabilities", "providers":[ "ManageUserCapabilities" ], "hidden":false, "name":"CreateUserCapabilities", "capability_entries":[ { "operation":"create", "object_type":"USER_CAPABILITY" }, { "operation":"delete", "object_type":"USER_CAPABILITY" }, { "operation":"update", "object_type":"USER_CAPABILITY" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":93, "description":"Manage Tiller objects", "providers":[ "ViewTiller" ], "hidden":false, "name":"ManageTiller", "capability_entries":[ { "operation":"create", "object_type":"K8S_TILLER" }, { "operation":"delete", "object_type":"K8S_TILLER" }, { "operation":"update", "object_type":"K8S_TILLER" } ], "tenant_roles":[ "superadmin", "tenantadmin" ] }, { "capability_group":"User", "id":95, "description":"Manage LDAP\/Active Directory services and their properties", "providers":[ "ViewDirectoryServices" ], "hidden":false, "name":"ManageDirectoryServices", "capability_entries":[ { "operation":"create", "object_type":"LDAP" }, { "operation":"delete", "object_type":"LDAP" }, { "operation":"update", "object_type":"LDAP" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":97, "description":"Manage OpenShift users\/groups and their properties", "providers":[ "ViewOpenShift" ], "hidden":false, "name":"ManageOpenShift", "capability_entries":[ { "operation":"create", "object_type":"OPEN_SHIFT" }, { "operation":"delete", "object_type":"OPEN_SHIFT" }, { "operation":"update", "object_type":"OPEN_SHIFT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"User", "id":99, "description":"Manage user audit properties", "providers":[ "ViewUserAudit" ], "hidden":false, "name":"ManageUserAudit", "capability_entries":[ { "operation":"create", "object_type":"USER_AUDIT" }, { "operation":"delete", "object_type":"USER_AUDIT" }, { "operation":"update", "object_type":"USER_AUDIT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":102, "description":"Manage Kubernetes resources", "providers":[ "ViewK8s" ], "hidden":false, "name":"ManageK8s", "capability_entries":[ { "operation":"create", "object_type":"K8S_MASTER" }, { "operation":"delete", "object_type":"K8S_MASTER" }, { "operation":"update", "object_type":"K8S_MASTER" }, { "operation":"update", "object_type":"K8S_NODE" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Infrastructure", "id":103, "description":"Manage Kubernetes resources", "providers":[ ], "hidden":false, "name":"ManageK8sUsers", "capability_entries":[ { "operation":"create", "object_type":"K8S_USER_CONTEXT" }, { "operation":"delete", "object_type":"K8S_USER_CONTEXT" }, { "operation":"update", "object_type":"K8S_USER_CONTEXT" }, { "operation":"view", "object_type":"K8S_USER_CONTEXT" } ], "tenant_roles":[ "superadmin" ] }, { "capability_group":"Administration", "id":106, "description":"All Super Admin Capabilities", "providers":[ "AllCapabilities" ], "hidden":false, "name":"AllSuperAdminCapabilities", "capability_entries":[ ], "tenant_roles":[ ] }, { "capability_group":"Administration", "id":107, "description":"All User Capabilities", "providers":[ "CloneApplications", "CreateApplications", "ViewNamespaces", "UseNamespaces", "ManageNamespaces", "ViewBackups", "CreateBackups", "DeleteBackups", "PurgeBackups", "ViewUserAuth", "CreateBundles", "CreateImages", "CreatePrivelegedApps", "CreateStorageRepos", "DeleteApplications", "DownloadFiles", "ManageInstances", "ManageK8sApplications", "ManageStorageRepos", "SnapshotApplications", "BackupApplications", "ViewApplications", "ViewBundles", "ViewChargeback", "ViewConfig", "ViewDocker", "ViewEvents", "ViewFileCollections", "ViewImages", "ViewInstances", "ViewJobs", "ViewK8sApplications", "ViewK8sUserAuth", "ViewNetworking", "ViewNFSExports", "ViewNodes", "ViewResourceGroups", "ViewResourcePools", "ViewStorageArray", "ViewStorageRepos", "UseStorageRepos", "ViewSystem", "ViewTags", "ViewTiller", "ViewZones", "ViewWorkflow" ], "hidden":false, "name":"AllUserCapabilities", "capability_entries":[ ], "tenant_roles":[ ] }, { "capability_group":"Administration", "id":108, "description":"All Cluster User Capabilities", "providers":[ "ManageK8sApplications", "ManageK8sBackups", "ViewJobs", "CreateStorageRepos", "ManageStorageRepos", "ViewTiller", "ViewK8sUserAuth" ], "hidden":false, "name":"AllClusterUserCapabilities", "capability_entries":[ ], "tenant_roles":[ ] }, { "capability_group":"Administration", "id":109, "description":"All Cluster Admin Capabilities", "providers":[ "AllCapabilities" ], "hidden":false, "name":"AllClusterAdminCapabilities", "capability_entries":[ ], "tenant_roles":[ ] }, { "capability_group":"Administration", "id":110, "description":"All Tenant Admin Capabilities", "providers":[ "ViewObjectShares", "AccessConsole", "AccessDashboard", "ChangeOwner", "CloneApplications", "CreateApplications", "ViewNamespaces", "UseNamespaces", "ManageNamespaces", "ShareNamespaces", "ViewBackups", "CreateBackups", "DeleteBackups", "ImportBackups", "ExportBackups", "PurgeBackups", "UserShareBackups", "CreateBundles", "CreateImages", "CreatePrivelegedApps", "CreateStorageRepos", "DeleteApplications", "DownloadFiles", "ManageApplications", "ShareApplications", "ManageApplicationResources", "ManageDocker", "ManageInstances", "ManageK8s", "ManageK8sApplications", "ShareK8sApplications", "ManageResourceGroups", "ManageStorageRepos", "UserShareRepos", "ManageTiller", "ManageUserCapabilities", "SnapshotApplications", "BackupApplications", "UpdateTenants", "UpdateUserRole", "UseStorageRepos", "ViewApplications", "ViewBundles", "ViewChargeback", "ViewConfig", "ViewDocker", "ViewEvents", "ViewFileCollections", "ViewImages", "ViewInstances", "ViewJobs", "ViewK8sApplications", "ViewK8sUserAuth", "ViewNetworking", "ViewNFSExports", "ViewNodes", "ViewResourceGroups", "ViewResourcePools", "ViewStorageArray", "ViewStorageRepos", "ViewSystem", "ViewTags", "ViewTenants", "ViewTiller", "ViewUsers", "ViewUserAuth", "ViewUserCapabilities", "ViewZones", "ViewWorkflow", "ManageWorkflow" ], "hidden":false, "name":"AllTenantAdminCapabilities", "capability_entries":[ ], "tenant_roles":[ ] }, { "capability_group":"Custom", "id":115, "description":"Custom user capability", "providers":[ "ManageApplications" ], "hidden":false, "name":"CustomUserCapability", "capability_entries":[ { "operation":"backup", "object_type":"APPLICATION" }, { "operation":"restore", "object_type":"APPLICATION" } ], "tenant_roles":[ "user", "tenantadmin", "superadmin" ] } ] } .. raw:: html
---------------------------- Add a custom user capability ---------------------------- .. tabs:: .. tab:: CLI Issue the following command to add a custom user capability: .. code-block:: text # robin capabilities add --providers --capability-entries --hidden ============================================= ========================================================= ``name`` Name of custom user capability ``description`` Description of User Capability ``tenant_roles`` Comma separated list of Tenant Roles. One or more of 'superadmin', 'tenantadmin', 'user' is required. ``--providers `` Optional comma separated list of provider user capabilities. ``--capability-entries `` Optional comma separated list of capability entries in the following format: ':'. ``--hidden`` Hide a user capability when listing (default is not hidden). ============================================= ========================================================= .. note:: At least one of ``--providers`` or ``--capability-entries`` options must be specified. **Example:** .. code-block:: text # robin capabilities add CustomUserCapability "Custom user capability" user --providers ManageApplications Custom User Capability 'CustomUserCapability' successfully added # robin capabilities list CustomUserCapability --full Group | Name | Hidden | Description -------+----------------------+--------+------------------------ Custom | CustomUserCapability | False | Custom user capability Tenant Roles: user Providers: ManageApplications Capability Entries: .. tab:: API Adds a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** POST **URL Parameters:** None **Data Parameters:** - ``name: `` - This mandatory field within the payload specifies the name of the capability to be created. - ``description: `` - Utilizing this parameter within the payload results in the new capability's description being set to the specified string. - ``tenant_roles: `` - Utilizing this parameter within the payload by specifying a comma seperated list of values results in the tenant roles the capability is applicable to being set to the given values. Valid values include: 'superadmin', 'tenantadmin' and 'user'. - ``providers: `` - Utilizing this parameter within the payload by specifying a comma seperated list of providers results in the capability's providers being set to the values provided. - ``hidden: true`` - Utilizing this parameter within the payload results in the capability not being shown when capability listing is performed. The default value is False. - ``capability_entries: `` - Utilizing this parameter within the payload by specifying a list of arrays, each in the form of [, ] results in the capability's entries being set to the values provided. .. note:: At least one of ``providers`` or ``capability_entries`` fields must be specified within the payload. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage), 409 (Duplicate Resource Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Custom User Capability 'CustomUserCapability' successfully added" } .. raw:: html
------------------------------- Remove a custom user capability ------------------------------- .. tabs:: .. tab:: CLI Issue the following command to remove a custom user capability: .. code-block:: text # robin capabilities remove =========================== ========================================================= ``name`` Name of custom user capability to remove =========================== ========================================================= **Example:** .. code-block:: text # robin capabilities remove CustomUserCapability Deleted User Capability 'CustomUserCapability' .. tab:: API Removes a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities/ **Method:** DELETE **URL Parameters:** None **Data Parameters:** None **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Deleted User Capability 'CustomUserCapability'" } .. raw:: html
------------------------------- Update a custom user capability ------------------------------- .. tabs:: .. tab:: CLI Issue the following command to update a custom user capability: .. code-block:: text # robin capabilities update --description --tenant-roles --providers --capability-entries --hide --expose ============================================== ========================================================= ``name`` Name of custom user capability to update ``--description `` Description of User Capability ``--tenant-roles `` A comma separated list of Tenant Roles. One or more of 'superadmin', 'tenantadmin', 'user' is required. ``-providers `` Optional comma separated list of provider user capabilities. ``--capability-entries `` Optional comma separated list of capability entries in the following format: ':'. ``--hide`` Hide user capability when listing. ``--expose`` Include user capability when listing. ============================================== ========================================================= **Example:** .. code-block:: text # robin capabilities update CustomUserCapability --capability-entries APPLICATION:backup,APPLICATION:restore --tenant-roles user,tenantadmin,superadmin User Capability 'CustomUserCapability' has been updated # robin capabilities list CustomUserCapability --full Group | Name | Hidden | Description -------+----------------------+--------+------------------------ Custom | CustomUserCapability | False | Custom user capability Tenant Roles: user tenantadmin superadmin Providers: ManageApplications Capability Entries: APPLICATION backup APPLICATION restore .. note:: When updating a custom user capability, the values provided for providers and capability entries will replace the current values. To add or remove one or more providers or capability entries, use the ``add-capability-entries``, ``remove-capability-entries``, ``add-providers``, or ``remove-providers`` sub-commands. .. tab:: API Updates a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: update`` - This mandatory field within the payload specifies that the update operation is to be performed. - ``name: `` - This mandatory field within the payload specifies the name of the capability to be updated. - ``description: `` - Utilizing this parameter within the payload by specifying a description results in the capability's description being changed to the given string. - ``tenant_roles: `` - Utilizing this parameter within the payload by specifying a comma seperated list of values results in the tenant roles the capability is applicable to being updated to the given list. Valid values include: 'superadmin', 'tenantadmin' and 'user'. - ``providers: `` - Utilizing this parameter within the payload by specifying a comma seperated list of providers results in the capability's providers being set to the values provided. - ``hidden: [true|false]`` - Utilizing this parameter within the payload determines whether or not the capability is shown when doing a capability listing. - ``capability_entries: `` -- Utilizing this parameter within the payload by specifying a comma seperated list of dictionaries (with the keys given below) results in the capability's entries being set to the values provided. - ``object_type: `` - This mandatory field within each dictionary specifies the object type the capability entry refers to. - ``operation: `` - This mandatory field within each dictionary specifies the operation that applies to the object type specified previously. .. note:: When updating a custom user capability, if values for providers and capability entries are provided they will replace the current values. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"User Capability 'CustomUserCapability' has been updated" } .. raw:: html
-------------------------------------------------- Add capability entries to a custom user capability -------------------------------------------------- .. tabs:: .. tab:: CLI Issue the following command to add one or more capability entries (permissions) to a custom user capability: .. code-block:: text # robin capabilities add-capability-entries =========================== ========================================================= ``name`` Name of custom user capability to edit ``capability_entries`` Comma separated list of capability entries in the following format: ':'. =========================== ========================================================= **Example:** .. code-block:: text # robin capabilities add-capability-entries CustomUserCapability BUNDLE:view,BUNDLE:create,BUNDLE:delete One or more Capability Entries for User Capability 'CustomUserCapability' have been added .. tab:: API Adds additional capability entries to a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: add_capability_entries`` - This mandatory field within the payload specifies that capability entries will be added. - ``name: `` - This mandatory field within the payload specifies the name of the capability to be edited. - ``capability_entries: `` -- - ``object_type: `` - This mandatory field within each dictionary specifies the object type the new capability entry refers to. - ``operation: `` - This mandatory field within each dictionary specifies the operation that applies to the object type specified previously. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"One or more Capability Entries for User Capability 'CustomUserCapability' have been added" } .. raw:: html
------------------------------------------------------- Remove capability entries from a custom user capability ------------------------------------------------------- .. tabs:: .. tab:: CLI Issue the following command to remove one or more capability entries (permissions) from a custom user capability: .. code-block:: text # robin capabilities remove-capability-entries =========================== ========================================================= ``name`` Name of custom user capability to edit ``capability_entries`` Comma separated list of capability entries in the following format: ':'. =========================== ========================================================= **Example:** .. code-block:: text # robin capabilities remove-capability-entries CustomUserCapability BUNDLE:view,BUNDLE:create,BUNDLE:delete One or more Capability Entries for User Capability 'CustomUserCapability' have been removed .. tab:: API Removes capability entries from a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: remove_capability_entries`` - This mandatory field within the payload specifies that capability entries will be removed. - ``name: `` - This mandatory field within the payload specifies the name of the capability to be edited. - ``capability_entries: `` -- - ``object_type: `` - This mandatory field within each dictionary specifies the object type the capability entry refers to. - ``operation: `` - This mandatory field within each dictionary specifies the operation that applies to the aforementioned object type. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"One or more Capability Entries for User Capability 'CustomUserCapability' have been removed" } .. raw:: html
----------------------------------------- Add providers to a custom user capability ----------------------------------------- .. tabs:: .. tab:: CLI Issue the following command to add one or providers to a custom user capability: .. code-block:: text # robin capabilities add-providers =========================== ========================================================= ``name`` Name of custom user capability to edit ``providers`` Comma separated list of user capability providers to add =========================== ========================================================= **Example:** .. code-block:: text # robin capabilities add-providers CustomUserCapability CreateImages,CreateBundles One or more Providers for User Capability 'CustomUserCapability' have been added # robin capabilities list --full CustomUserCapability Group | Name | Hidden | Description -------+----------------------+--------+------------------------ Custom | CustomUserCapability | False | Custom user capability Tenant Roles: user tenantadmin superadmin Providers: ManageApplications CreateImages CreateBundles Capability Entries: APPLICATION backup APPLICATION restore .. tab:: API Adds additional provider(s) to a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: add_providers`` - This mandatory field within the payload specifies that the add providers operation is to be performed. - ``name: `` - This mandatory field within the payload specifies the name of the capability to be edited. - ``providers: `` - This mandatory field within the payload specifies a comma seperated list of provider names that should be added to the capability. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"One or more Providers for User Capability 'CustomUserCapability' have been added" } .. raw:: html
---------------------------------------------- Remove providers from a custom user capability ---------------------------------------------- .. tabs:: .. tab:: CLI Issue the following command to remove one or providers from a custom user capability: .. code-block:: text # robin capabilities remove-providers =========================== ========================================================= ``name`` Name of custom user capability to edit ``providers`` Comma separated list of user capability providers to add =========================== ========================================================= **Example:** .. code-block:: text # robin capabilities remove-providers CustomUserCapability CreateImages,CreateBundles One or more Providers for User Capability 'CustomUserCapability' have been removed .. tab:: API Removes provider(s) from a custom user capability. **End Point:** /api/v3/robin_server/user-capabilities **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: remove_providers`` - This mandatory field within the payload specifies that the remove providers operation is to be performed. - ``name: `` - This mandatory field within the payload specifies the name of the capability to be edited. - ``providers: `` - This mandatory field within the payload specifies a comma seperated list of provider names that should be removed from the capability. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"One or more Providers for User Capability 'CustomUserCapability' have been removed" } .. raw:: html
========================= Object sharing operations ========================= ------------------------- List object share options ------------------------- .. tabs:: .. tab:: CLI List the objects that can be shared with tenants/users and show operations that can be shared for each object type. .. code-block:: text # robin object-share list-options [object_type] --share-type ============================= ========================================================= ``object_type`` Object type to list operations for ``--share-type `` Object share type to filter by. Valid options are 'TENANT', 'USER' and 'ALL'. The default value is 'ALL' ============================= ========================================================= **Example:** .. code-block:: text # robin object-share list-options +-----------------+------------+------------------+ | Object Type | Share Type | Operation | +-----------------+------------+------------------+ | APPLICATION | USER | backup | | APPLICATION | USER | clone | | APPLICATION | USER | hydrate | | APPLICATION | USER | manage_instances | | APPLICATION | USER | probe | | APPLICATION | USER | restart | | APPLICATION | USER | restore | | APPLICATION | USER | rollback | | APPLICATION | USER | setsnapback | | APPLICATION | USER | scale | | APPLICATION | USER | snapshot | | APPLICATION | USER | start | | APPLICATION | USER | stop | | APPLICATION | USER | view | | BACKUP | TENANT | view | | BACKUP | TENANT | share | | BACKUP | TENANT | manage | | BACKUP | USER | view | | CLONE | USER | manage_instances | | CLONE | USER | probe | | CLONE | USER | restart | | CLONE | USER | restore | | CLONE | USER | start | | CLONE | USER | stop | | CLONE | USER | view | | K8S_APPLICATION | USER | view | | K8S_APPLICATION | USER | update | | K8S_APPLICATION | USER | start | | K8S_APPLICATION | USER | stop | | K8S_APPLICATION | USER | snapshot | | K8S_APPLICATION | USER | backup | | K8S_APPLICATION | USER | clone | | K8S_APPLICATION | USER | rollback | | K8S_APPLICATION | USER | restore | | K8S_APPLICATION | USER | hydrate | | NAMESPACE | USER | view | | NAMESPACE | USER | deploy_app | | SNAPSHOT | USER | view | | STORAGE_REPO | TENANT | view | | STORAGE_REPO | TENANT | share | | STORAGE_REPO | TENANT | manage | | STORAGE_REPO | USER | view | | STORAGE_REPO | USER | push | +-----------------+------------+------------------+ .. tab:: API Returns information about all Robin Platform users including details such as the tenants they are associated with, current namespace and current role. **End Point:** /api/v5/robin_server/users **Method:** GET **URL Parameters:** None **Data Parameters:** - ``action: get_share_options`` - This mandatory field within the payload specifies that the share options should be returned. - ``share_type: `` - This mandatory field within the payload specifies the share type by which to filter the results by. Valid options are 'TENANT', 'USER' and 'ALL'. - ``object_type: `` - Utilizing this parameter within the payload by specifying a valid object type results in only operations associated with the specified object type being returned. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "operation":"backup", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"clone", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"hydrate", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"manage_instances", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"probe", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"restart", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"restore", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"rollback", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"setsnapback", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"scale", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"snapshot", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"start", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"stop", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"view", "object_type":"APPLICATION", "share_type":"USER" }, { "operation":"view", "object_type":"BACKUP", "share_type":"TENANT" }, { "operation":"share", "object_type":"BACKUP", "share_type":"TENANT" }, { "operation":"manage", "object_type":"BACKUP", "share_type":"TENANT" }, { "operation":"view", "object_type":"BACKUP", "share_type":"USER" }, { "operation":"manage_instances", "object_type":"CLONE", "share_type":"USER" }, { "operation":"probe", "object_type":"CLONE", "share_type":"USER" }, { "operation":"restart", "object_type":"CLONE", "share_type":"USER" }, { "operation":"restore", "object_type":"CLONE", "share_type":"USER" }, { "operation":"start", "object_type":"CLONE", "share_type":"USER" }, { "operation":"stop", "object_type":"CLONE", "share_type":"USER" }, { "operation":"view", "object_type":"CLONE", "share_type":"USER" }, { "operation":"view", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"update", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"start", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"stop", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"snapshot", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"backup", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"clone", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"rollback", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"restore", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"hydrate", "object_type":"K8S_APPLICATION", "share_type":"USER" }, { "operation":"view", "object_type":"NAMESPACE", "share_type":"USER" }, { "operation":"deploy_app", "object_type":"NAMESPACE", "share_type":"USER" }, { "operation":"view", "object_type":"SNAPSHOT", "share_type":"USER" }, { "operation":"view", "object_type":"STORAGE_REPO", "share_type":"TENANT" }, { "operation":"share", "object_type":"STORAGE_REPO", "share_type":"TENANT" }, { "operation":"manage", "object_type":"STORAGE_REPO", "share_type":"TENANT" }, { "operation":"view", "object_type":"STORAGE_REPO", "share_type":"USER" }, { "operation":"push", "object_type":"STORAGE_REPO", "share_type":"USER" } ] } .. raw:: html
========================== User management operations ========================== ---------- Add a user ---------- .. tabs:: .. tab:: CLI To add a new user to the Robin Platform cluster, issue the following command: .. code-block:: text # robin user add [] --password --openshift --ldap --ldap-server --ldap-user-dn --first-name --last-name --email --namespace --import-namespace ========================================= =========================================================================================================================================================================================================================================================================================================================================================================================================================== ``username`` The user's Robin Platform cluster username. Note that this username can only contain .-_ and alphanumeric characters ``tenant`` Name of the tenant to add the user to ``tenant_role`` Role to assign to the user (superadmin, tenantadmin, user) ``user_capabilities`` Optional comma-separated list of tenant specific capabilities to assign to the user. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If no capabilities need to be granted to the user, then specify 'NoCapabilities' on the command line ``--password `` User password (for testing only) ``--openshift`` Authentication with the OpenShift auth provider ``--ldap`` Authentication with an LDAP server ``--ldap-server `` Name of LDAP server user will get authentication from ``--ldap-user-dn `` The LDAP DN to use when authenticating the user (if the user is in a non-standard location in the tree or does not conform to normal user DN conventions) ``--first-name `` First name for user being added ``--last-name `` Last name for user being added ``--email `` Email address for user being added ``--namespace `` The primary namespace to assign to a user when adding them to a tenant. If no namespace is supplied for the user, then one will be created and assigned to them. If the namespace does not already exist, it will be created. If the namespace is already bound to the tenant, then its ownership will be transferred to the newly added user (along with any applications that have been deployed in this namespace) ``--import-namespace`` Import the specified Kubernetes namespace if it exists ========================================= =========================================================================================================================================================================================================================================================================================================================================================================================================================== .. note:: To view a list of all user capabilities review the section detailed `here `_. **Example 1 (Add a user to a tenant):** .. code-block:: text # robin user add user2 t1 user Password: Retype password: Successfully added user 'user2' **Example 2 (Add a user and assign them a custom primary namespace name):** .. code-block:: text # robin user add user5 t3 user --namespace user5-ns Password: Retype password: Successfully added user 'user5' # robin user list user5 ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication ---+----------+-----------+-------+---------+----------------+--------------+-------------------+---------------- 10 | user5 | | | t3 | t3 | user | user5-ns | local .. note:: The ability to add users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the **superadmin** role) have permission to do this. .. tab:: API Adds a new user to the Robin Platform cluster. **End Point:** /api/v3/robin_server/users **Method:** POST **URL Parameters:** None **Data Parameters:** - ``user_info: `` -- - ``username: `` - This mandatory field within the dictionary specifies the name of the user to be created. - ``authentication_type: `` - This mandatory field within the dictionary specifies the authentication provider for the user creation. Valid values include: 1 (Robin), 2 (LDAP), 3 (OpenShift). - ``password: `` - Utilizing this parameter within the dictionary by specifying a password string results in the aforementioned value being set as the user's password. Note this parameter is mandatory when Robin is the authorization provider. - ``first_name: `` - Utilizing this parameter within the dictionary by specifying a first name results in the aforementioned string being set as the user's first name. - ``last_name: `` - Utilizing this parameter within the dictionary by specifying a last name results in the aforementioned string being set as the user's last name. - ``email: `` - Utilizing this parameter within the dictionary by specifying an email results in the aforementioned string being set as user's email. - ``setup_tiller: true`` - Utilizing this parameter results in all the Kubernetes objects needed for Helm2 application deployment being setup upon user addition. The default value is False. - ``ldap_server: `` - Utilizing this parameter results in the specified server being used as the LDAP server the created user will get authentication from. Note this parameter is mandatory when the authentication type is LDAP and only applies in this case too. - ``ldap_user_dn: `` - Utilizing this parameter results in the specified DN being used as the LDAP DN to use when authenticating the user. Note this parameter only applies when the authentication type is LDAP. - ``tenant_list: `` -- - ``tenant: `` - This mandatory field within the dictionary specifies the name of the tenant the newly created user will be added to. - ``tenant_role: `` - This mandatory field within the dictionary specifies the role of the newly created user within the specified tenant. Valid values include: 'superadmin', 'tenantadmin', and 'user'. - ``user_capabilities: `` - Utilizing this parameter, by specifying a comma separated list of capabilities, results in the aforementioned capabilities being assigned to the newly created user. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If no capabilities need to be granted to the user, then specify a list containing 'NoCapabilities'. - ``namespace_name: `` - Utilizing this parameter, by specifying a namespace name, results in the respective namespace being assigned as the primary namespace for the newly created user. If no namespace is supplied for the user, then one will be created and assigned to them. If the namespace does not already exist, it will be created. If the namespace is already bound to the tenant, then its ownership will be transferred to the newly added user (along with any applications that have been deployed in this namespace). - ``import_namespace: true`` - Utilizing this parameter results in the specified namespace being imported if it exists. .. note:: To view a list of all user capabilities review the section detailed `here `_. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error), 409 (Duplicate Resource Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Successfully added user 'user1'\n" } .. raw:: html
------------- Update a user ------------- .. tabs:: .. tab:: CLI To update a Robin Platform user's attributes, issue the following command: .. code-block:: text # robin user update --password, -p --first-name --last-name --email ============================= ========================================================= ``username`` The username for the Robin Platform user to update attributes for ``--password, -p`` Change a user's password ``--first-name `` First name for user being added ``--last-name `` Last name for user being added ``--email `` Email address for user being added ============================= ========================================================= **Example:** .. code-block:: text # robin user update u1 --first-name demo-user Successfully updated user u1 .. note:: The ability to update users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the **superadmin** role) have permission to do so. .. tab:: API Updates a Robin Platform user's attributes. **End Point:** /api/v3/robin_server/users/ **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: update`` - This mandatory field within the payload specifies that the update operation is to be performed. - ``user_info: `` -- - ``password: `` - Utilizing this parameter within the dictionary by specifying a new password results in the user's password being changed to the given value. - ``first_name: `` - Utilizing this parameter within the dictionary by specifying a first name results in the user's first name being changed to the given value. - ``last_name: `` - Utilizing this parameter within the dictionary by specifying a last name results in the user's last name being changed to the given value. - ``email: `` - Utilizing this parameter within the dictionary by specifying an email results in the user's email being changed to the given value. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Successfully updated user robin\n" } .. raw:: html
------------- Remove a user ------------- .. tabs:: .. tab:: CLI To remove a Robin Platform user, issue the following command: .. code-block:: text # robin user remove [] --keep-k8s-namespaces --yes, -y ========================= ========================================================= ``username`` Comma separated list of usernames for users being removed (can be a single username as well) ``replacement_users`` Comma separated list of replacement users. Each replacement user consists of two elements, 'tenant' and 'replacement_user', in the following format :. Ownership of all namespaces and apps owned by a user being removed from a tenant will be assigned to the replacement user for that tenant (if supplied) ``--keep-k8s-namespaces`` Don't delete a user's Kubernetes namespaces when removing them ``--yes, -y`` Do not prompt for confirmation ========================= ========================================================= **Example 1 (Remove a user):** .. code-block:: text # robin user remove user2 Are you sure you want to delete [y/n] ? y Deleted user user2. **Example 2 (Remove a user and reassign ownership of their primary namespace to another user):** .. code-block:: text # robin user list user5 ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication ---+----------+-----------+-------+---------+----------------+--------------+-------------------+---------------- 10 | user5 | | | t3 | t3 | user | user5-ns | local # robin user remove user5 t3:admin3 -y Deleted user user5. # robin namespace list --tenant t3 +--------------+--------------+-------------------+ | Name | Owner/Tenant | Primary Namespace | +--------------+--------------+-------------------+ | t004-u000011 | admin3/t3 | True | | user5-ns | admin3/t3 | False | +--------------+--------------+-------------------+ **Example 3: Remove a user and leave their Kubernetes namespaces in place** .. code-block:: text # robin namespace list --username user6 +-------------+--------------+-------------------+ | Name | Owner/Tenant | Primary Namespace | +-------------+--------------+-------------------+ | user6-t3-ns | user6/t3 | True | +-------------+--------------+-------------------+ # robin user remove user6 --keep-k8s-namespaces -y Deleted user user6. # kubectl get namespace user6-t3-ns NAME STATUS AGE user6-t2-ns Active 89m .. note:: The ability to remove users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the **superadmin** role) have permission to do so. The last local user assigned the **superadmin** role cannot be removed from the system. .. tab:: API Removes a Robin Platform user. **End Point:** /api/v3/robin_server/users **Method:** DELETE **URL Parameters:** None **Data Parameters:** - ``username: `` - This mandatory field within the payload specifies the name of ther user to be deleted. - ``delete_namespaces: false`` - Utilizing this paremeter within the payload results in the user's Kubernetes namespace not being deleted even when they are removed. The default value is True. - ``replacement_users: `` -- - ``tenant: `` - This mandatory field within the dictionary specifies the tenant in which to replace the user being removed. Note they have to be part of this tenant already. - ``replacement_user: `` - This mandatory field within the dictionary specifies the username of the user to replace the one being removed within the aforementioned tenant. .. Note:: The ``replacement_users`` field is not mandatory. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Deleted user user2.\n\n" } .. raw:: html
---------- List users ---------- .. tabs:: .. tab:: CLI To list information about Robin Platform users, issue the following command: .. code-block:: text # robin user list [] --all, -a --full --permissions ============================ ========================================================= ``username`` The username of the Robin Platform user to display information for ``--all, -a`` List all users including hidden, disabled, and deleted users ``--full`` Display additional information about each user (e.g., access permissions) ``--permissions`` List individual user permissions ============================ ========================================================= **Example:** .. code-block:: text # robin user list ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication ---+----------+---------------+-------+----------------+----------------+--------------+-------------------+---------------- 3 | robin | Robin Systems | | Administrators | Administrators | superadmin | t001-u000003 | local 4 | admin1 | | | t1 | t1 | tenantadmin | t003-u000004 | local 5 | user1 | | | t1 | t1 | user | t003-u000005 | local 6 | user2 | | | t1 | t1 | user | t003-u000006 | local .. note:: The ability to list users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the **superadmin** role) have permission to do so. .. tab:: API Returns information about all Robin Platform users including details such as the tenants they are associated with, current namespace and current role. **End Point:** /api/v5/robin_server/users **Method:** GET **URL Parameters:** - ``disabled=true`` : Utilizing this parameter results in disabled users also being returned alongside normal users. - ``hidden=true`` : Utilizing this parameter results in hidden users also being returned alongside normal users. - ``deleted=true`` : Utilizing this parameter results in deleted users also being returned alongside normal users. **Data Parameters:** None **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "first_name":"Robin", "user_context":"robin", "tenant":"Administrators", "username":"robin", "user_context_id":3, "tenant_id":1, "permissions":{ }, "ldap_server_ref":null, "tenants":[ { "user_capabilities":[ "AllSuperAdminCapabilities" ], "tenant_role":"superadmin", "name":"Administrators" } ], "authentication":"local", "hidden":false, "user_id":3, "email":null, "last_name":"Systems", "user_contexts":[ { "user_credential_ref":3, "tenant_ref":1, "tenant":"Administrators", "user_credential":"", "name":"robin", "user_ref":3, "username":"robin", "namespace":"t001-u000003", "id":3, "context_type":"ROBIN_CONTEXT" } ], "current_role":"superadmin", "deleted":false }, { "first_name":null, "user_context":"user3", "tenant":"t3", "username":"user3", "user_context_id":5, "tenant_id":3, "permissions":{ }, "ldap_server_ref":null, "tenants":[ { "user_capabilities":[ "ViewApplications", "CreateApplications", "SnapshotApplications", "BackupApplications", "CloneApplications", "DeleteApplications", "ViewSystem", "ViewK8sApplications", "ManageK8sApplications", "ViewImages", "CreateImages", "ViewBundles", "CreateBundles", "ViewInstances", "ManageInstances", "ViewDocker", "ViewNetworking", "ViewResourcePools", "ViewTags", "ViewResourceGroups", "ViewChargeback", "ViewConfig", "ViewFileCollections", "ViewNodes", "ViewEvents", "ViewJobs", "ViewZones", "ViewWorkflow", "ViewStorageArray", "ViewStorageRepos", "UseStorageRepos", "ViewNFSExports", "ViewTiller", "DownloadFiles", "ViewK8sUserAuth", "ViewNamespaces", "UseNamespaces", "ManageNamespaces", "ViewUserAuth", "CreateBackups", "DeleteBackups", "PurgeBackups", "ManageApplications", "ViewBackups" ], "tenant_role":"user", "name":"t3" } ], "authentication":"local", "hidden":false, "user_id":4, "email":null, "last_name":null, "user_contexts":[ { "user_credential_ref":5, "tenant_ref":3, "tenant":"t3", "user_credential":"robin", "name":"user3", "user_ref":4, "username":"user3", "namespace":"t003-u000004", "id":5, "context_type":"ROBIN_CONTEXT" } ], "current_role":"user", "deleted":false }, { "first_name":null, "user_context":"user5", "tenant":"t4", "username":"user5", "user_context_id":6, "tenant_id":6, "permissions":{ }, "ldap_server_ref":null, "tenants":[ { "user_capabilities":[ "ViewApplications", "CreateApplications", "SnapshotApplications", "BackupApplications", "CloneApplications", "DeleteApplications", "ViewSystem", "ViewK8sApplications", "ManageK8sApplications", "ViewImages", "CreateImages", "ViewBundles", "CreateBundles", "ViewInstances", "ManageInstances", "ViewDocker", "ViewNetworking", "ViewResourcePools", "ViewTags", "ViewResourceGroups", "ViewChargeback", "ViewConfig", "ViewFileCollections", "ViewNodes", "ViewEvents", "ViewJobs", "ViewZones", "ViewWorkflow", "ViewStorageArray", "ViewStorageRepos", "UseStorageRepos", "ViewNFSExports", "ViewTiller", "DownloadFiles", "ViewK8sUserAuth", "ViewNamespaces", "UseNamespaces", "ManageNamespaces", "ViewUserAuth", "CreateBackups", "DeleteBackups", "PurgeBackups", "ManageApplications", "ViewBackups" ], "tenant_role":"user", "name":"t4" } ], "authentication":"local", "hidden":false, "user_id":5, "email":null, "last_name":null, "user_contexts":[ { "user_credential_ref":6, "tenant_ref":6, "tenant":"t4", "user_credential":"user5", "name":"user5", "user_ref":5, "username":"user5", "namespace":"t006-u000005", "id":6, "context_type":"ROBIN_CONTEXT" } ], "current_role":"user", "deleted":false }, { "first_name":null, "user_context":"user6", "tenant":"t5", "username":"user6", "user_context_id":7, "tenant_id":7, "permissions":{ }, "ldap_server_ref":null, "tenants":[ { "user_capabilities":[ "ViewApplications", "CreateApplications", "SnapshotApplications", "BackupApplications", "CloneApplications", "DeleteApplications", "ViewSystem", "ViewK8sApplications", "ManageK8sApplications", "ViewImages", "CreateImages", "ViewBundles", "CreateBundles", "ViewInstances", "ManageInstances", "ViewDocker", "ViewNetworking", "ViewResourcePools", "ViewTags", "ViewResourceGroups", "ViewChargeback", "ViewConfig", "ViewFileCollections", "ViewNodes", "ViewEvents", "ViewJobs", "ViewZones", "ViewWorkflow", "ViewStorageArray", "ViewStorageRepos", "UseStorageRepos", "ViewNFSExports", "ViewTiller", "DownloadFiles", "ViewK8sUserAuth", "ViewNamespaces", "UseNamespaces", "ManageNamespaces", "ViewUserAuth", "CreateBackups", "DeleteBackups", "PurgeBackups", "ManageApplications", "ViewBackups" ], "tenant_role":"user", "name":"t5" } ], "authentication":"local", "hidden":false, "user_id":6, "email":null, "last_name":null, "user_contexts":[ { "user_credential_ref":7, "tenant_ref":7, "tenant":"t5", "user_credential":"user6", "name":"user6", "user_ref":6, "username":"user6", "namespace":"t007-u000006", "id":7, "context_type":"ROBIN_CONTEXT" } ], "current_role":"user", "deleted":false } ] } .. raw:: html
---------- User login ---------- .. tabs:: .. tab:: CLI Run the following command to initiate a Robin Platform cluster login session: .. code-block:: text # robin login --password --tenant --namespace ============================ =================================================================== ``username`` The username for the user logging into the Robin Platform cluster ``--password `` User password (for testing only) ``--tenant `` Name of tenant the user will be logged into (default is the same tenant from previous login) ``--namespace `` Change the current namespace for the user who is logging in. Note that only the user's assigned namespace for the tenant they are logging into will be accepted at this time ============================ =================================================================== **Example:** .. code-block:: text # robin login robin --password Robin123 --tenant Administrators User robin is logged into Administrators tenant .. tab:: API Logs a user into a tenant. **End Point:** /api/v3/robin_server/login **Method:** POST **URL Parameters:** None **Data Parameters:** - ``username: `` - This mandatory field within the payload specifies the username of the user to login as. - ``password: `` - This mandatory field within the payload specifies the password of the user to login as. - ``tenant: `` - Utilizing this parameter by specifying a tenant name results in the user being logged into the aforementioned tenant. If not specified the tenant from the previous login will be used. - ``namespace: `` - Utilizing this parameter by specifying a namespace results in the user's current namespace changing to the aforementioned namespace. Note that only the user's assigned namespace for the tenant they are logging into will be accepted at this time. **Port:** RCM Port (default value is 29442) **Headers:** None **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "token_timestamp":1599752493, "tenant":"Administrators", "staas":false, "token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTk3NTI0OTMsInVzZXJfaWQiOjMsInRlbmFudF9pZCI6MX0.vqxRGk-2ZHsXJH6Na9TSITP8qx2LklDWVcCBIyb5igY", "zoneid":1595331866, "role":"superadmin", "tenants":[ "Administrators" ], "namespace":"t001-u000003" } .. raw:: html
------------------------------ Change current user's password ------------------------------ .. tabs:: .. tab:: CLI To change the password for the current Robin Platform user, issue the following command: .. code-block:: text # robin password change **Example:** .. code-block:: text # robin password change Password: Retype password: Password for current user has been updated .. tab:: API Changes the password for the current Robin Platform user. **End Point:** /api/v3/robin_server/login **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: change_password`` - This mandatory field within the payload specifies that the change password operation is to be performed. - ``password: `` - This mandatory field within the payload specifies the new password for the current user. **Port:** RCM Port (default value is 29442) **Headers:** None **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTk3NTk1MTAsInVzZXJfaWQiOjMsInRlbmFudF9pZCI6MX0.t9jTYJgTnGYdedmL67ql9ETl-rcjmUFvK64bPE_Z5_g" } .. raw:: html
---------------------------- User Certificate Management ---------------------------- Robin CNP automatically generates a TLS certificate for all the users added to the Robin CNP cluster. It enables you to manage these user certificates using a scheduler for user certificates and configuration settings. The user certificate is by default valid for one year from the date of user addition, and it will automatically renew if the certificate is going to expire, depending on the set configuration and scheduler status. You can modify the user certificate configuration as per your requirements. In the user certificate configuration, you can define the minimum and maximum validity of a certificate. The minimum validity is one day, and the maximum is one year. The default validity is one year. The configuration also checks the validity of the certificates and automatically renews them as per the scheduler and renewal offset. Robin CNP has a scheduler to check the validity of the user certificates, and the scheduler runs as per the set intervals and enables the automatic renewal of user certificates. By default, the scheduler is enabled, and it runs once in every twenty four hours. You can stop the scheduler as per your requirements. .. Note:: When the scheduler is stopped, if any user certificates are due for renewal, they will not get renewed automatically. However, when you restart the scheduler, it will renew the expired certificates. Checking Users Certificate Status ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can check the status of Robin users certificate by using the ``robin user-cert check`` command. The output provides the following details: - **Cert Lifespan**: User certificate lifespan as per configuration - **Renewal Offset**: User certificate renewal offset - Number of secs/minutes/hours/days/weeks/months/1year (configured and displayed in seconds) before which the scheduler reminds and automatically renews the certificate. - **Check Interval**: The duration when the scheduler runs automatically to check validity of the certificate - **Schedule Enabled:**: True/False .. tabs:: .. tab:: CLI Run the following command to check status of users certificates: .. code-block:: text # robin user-cert check **Example** .. code-block:: text # robin user-cert check Cert Lifespan: 31536000 (1 year) Renewal Offset: 1209600 (14 days) Check Interval: 86400 (1 day) Schedule Enabled: False ---------------------------------------------------------------------------------- NAME | USERNAME | VALID | EXPIRES ---------------------------------+-----------------+-------+----------------------- user-credentials-csi | csi | True | Feb 28, 2025 07:05:54 user-credentials-einstein | einstein | True | Feb 28, 2025 07:06:00 user-credentials-euclid | euclid | True | Feb 28, 2025 07:06:06 user-credentials-euler | euler | True | Feb 28, 2025 07:06:11 user-credentials-galieleo | galieleo | True | Feb 28, 2025 07:06:17 user-credentials-gauss | gauss | True | Feb 28, 2025 07:06:23 You can renew a user certificate offset period, renew all certificates for all users when required, and perform a dry run to verify the renewal process. Renewing User Certificate ^^^^^^^^^^^^^^^^^^^^^^^^^^ When you need to renew user certificates for all users, you can use ``--renew-all-certs``. Using the renewal offset option, you can set a time for automatic renewal of the certificate before its expiration date. It can be in seconds, minutes, hours, days, or weeks. The minimum period of time you can set for automatic renewal is 7 days, and the maximum is one year. Also, you can test the automatic renewal setting using the ``--dry-run``. .. tabs:: .. tab:: CLI Run the following command to renew user certificates: .. code-block:: text # robin user-cert renew --renew-all-certs --renewal-offset --dry-run ======================================= =================================================================== ``--renew-all-certs`` Force the renewal of all user certificates. ``--renewal-offset `` Minimum number of seconds prior to actual certificate expiration when certificate renewal is triggered. The renewal_offset can be specified as seconds, minutes, hours, days, or weeks (e.g., '36000', '600s', '10m', '24h', '7d'. or '1w'). The minimum renewal_offset value allowed is 604800 seconds (7 days) and the maximum value allowed is 31536000 seconds (1 year). ``--dry-run`` Perform a dry run without actually triggering a certificate renewal. ======================================= =================================================================== **Example: Renew all certificates** .. code-block:: text # robin user-cert renew --renew-all-certs User cert renewal request sent. This might take a while... Valid user certs: 0 Renewed user certs: 10 Messages: Forced renewal of all user certs - Renewing certificate 'user-credentials-csi' - Renewing certificate 'user-credentials-einstein' - Renewing certificate 'user-credentials-euclid' - Renewing certificate 'user-credentials-euler' - Renewing certificate 'user-credentials-galieleo' - Renewing certificate 'user-credentials-gauss' - Renewing certificate 'user-credentials-metrics-collect' - Renewing certificate 'user-credentials-newton' - Renewing certificate 'user-credentials-peer' - Renewing certificate 'user-credentials-robin' **Example: Renew the user certificate renewal offset** .. code-block:: text # robin user-cert renew --renewal-offset 7d User cert renewal request sent. This might take a while... Valid user certs: 10 Renewed user certs: 0 Messages: Renewing user certs with renewal_offset=604800 Cert 'user-credentials-csi' is valid Cert 'user-credentials-einstein' is valid Cert 'user-credentials-euclid' is valid Cert 'user-credentials-euler' is valid Cert 'user-credentials-galieleo' is valid Cert 'user-credentials-gauss' is valid Cert 'user-credentials-metrics-collect' is valid Cert 'user-credentials-newton' is valid Cert 'user-credentials-peer' is valid Cert 'user-credentials-robin' is valid **Example: Dry run** .. code-block:: text # robin user-cert renew --dry-run Valid user certs: 3 Renewed user certs: 4 Messages: Renewing user certs with renewal_offset=1123200 (dry_run) Cert 'user-credentials-csi' is valid Cert 'user-credentials-metrics-collect' is valid Cert 'user-credentials-peer' is valid Cert 'user-credentials-robin' has a 'not_after' date that is before the current date (minus renewal_offset) - Renewing certificate 'user-credentials-robin' Cert 'user-credentials-sachin-1' has a 'not_after' date that is before the current date (minus renewal_offset) - Renewing certificate 'user-credentials-sachin-1' Cert 'user-credentials-sachin-10' has a 'not_after' date that is before the current date (minus renewal_offset) - Renewing certificate 'user-credentials-sachin-10' Cert 'user-credentials-sachin-11' has a 'not_after' date that is before the current date (minus renewal_offset) - Renewing certificate 'user-credentials-sachin-11' Modifying User Certificate Configuration ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ User certificate management settings are configurable using the update-config CLI option. You can configure the following parameters: - **Cert Lifespan**: Configure the life span of the user certificate. You can set life span in seconds, minutes, hours, days, and one year for which the user certificate will be valid. The minimum life span that you can set for one day in seconds is 86400 seconds (1 day). - **Check-interval**: Configure the time interval to check the validity of user certificate. The minimum ``check-interval`` value allowed is 60 seconds (60 seconds). The maximum check_interval value allowed is 2592000 seconds (30 days). It is the time interval between two checks. You can set the check interval in raw seconds, seconds, minutes, hours, or days. - **Renewal offset**: Configure the minimum time prior to actual certificate expiration when certificate renewal will be triggered. You can specify renewal offset using the –renewal_offset option. You can be specify in seconds, minutes, hours, days, or weeks (e.g., '36000', '600s', '10m', '24h', '7d'. or '1w'). The minimum renewal_offset value allowed is 604800 seconds (7 days) and the maximum value allowed is 31536000 seconds (1 year). .. tabs:: .. tab:: CLI .. code-block:: text # robin user-cert update-config --defaults --cert-lifespan --check-interval --renewal-offset ======================================= =================================================================== ``--defaults`` Reset user certificate attributes to default values. ``--cert-lifespan `` Amount of time, in seconds, that a user certificate will be valid. The minimum lifespan value allowed is 86400 seconds (1 day). The maximum lifespan value allowed is 31536000 seconds (1 year) (the default value if not specified). The cert_lifespan value can be specified as raw seconds, seconds, minutes, hours, days, or years (e.g., '43200', '43200s', '1440m', '24h', '7d', or '1y'). ``--check-interval `` Number of seconds between each user cert renewal check. The minimum check_interval value allowed is 60 seconds (60 seconds). The maximum check_interval value allowed is 2592000 seconds (30 days). The check_interval value can be specified as raw seconds, seconds, minutes, hours, or days. ``--renewal-offset `` Minimum number of seconds prior to actual certificate expiration when certificate renewal is triggered. The renewal_offset can be specified as seconds, minutes, hours, days, or weeks (e.g., '36000', '600s', '10m', '24h', '7d'. or '1w'). The minimum renewal_offset value allowed is 604800 seconds (7 days) and the maximum value allowed is 31536000 seconds (1 year). ======================================= =================================================================== **Example: Reset user certificate values to default** .. code-block:: text # robin user-cert update --defaults Cert Lifespan: 31536000 (1 year) Renewal Offset: 1209600 (14 days) Check Interval: 86400 (1 day) Schedule Enabled: True Update Steps: -- Updating user certificate attributes to default values -- Using input cert_lifespan value (31536000) -- Updating cert_lifespan config value to '31536000' -- Using input check_interval value (86400) -- Updating check_interval config value to '86400' -- Using input renewal_offset value (1209600) **Example: Update lifespan of the certificate** .. code-block:: text # robin user-cert update --cert-lifespan 10d Cert Lifespan: 864000 (10 days) Renewal Offset: 1209600 (14 days) Check Interval: 86400 (1 day) Schedule Enabled: True Update Steps: -- Using input cert_lifespan value (864000) -- Updating cert_lifespan config value to '864000' -- Using current check_interval value (86400) -- Using current renewal_offset value (1209600) **Example : Update renewal offset** .. code-block:: text # robin user-cert update --renewal-offset 13d Cert Lifespan: 864000 (10 days) Renewal Offset: 1123200 (13 days) Check Interval: 172800 (2 days) Schedule Enabled: True Update Steps: -- Using current cert_lifespan value (864000) -- Using current check_interval value (172800) -- Using input renewal_offset value (1123200) -- Updating renewal_offset config value to '1123200' Stopping User Certificate Schedule ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can stop the user certificate schedule when you need to stop the renewal of the certificates and you do not want CNP to check for the validity of the user certificate. .. Note:: When the scheduler is stopped, if any user certificates are due for renewal, they will not get renewed automatically. However, when you restart the scheduler, it will renew the expired certificates. .. tabs:: .. tab:: CLI Run the following command to stop: .. code-block:: text # robin user-cert stop-schedule **Example** .. code-block:: text # robin user-cert stop-schedule User certificate renewal schedule stopped # robin user-cert check | grep -A4 Life Cert Lifespan: 259200 (3 days) Renewal Offset: 6912000 (80 days) Check Interval: 64800 (18 hours) Schedule Enabled: False Starting User Certificate Schedule ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can restart the stopped scheduler to restart the renewal of the validity of the user certificates. .. tabs:: .. tab:: CLI Run the following command to start: .. code-block:: text # robin user-cert start-schedule **Example** .. code-block:: text # robin user-cert start-schedule User certificate renewal schedule started # robin schedule list | grep UserCertificate UserCertificate | renew_user_certs_cb | 64800 | 4s back | - | Yes | In 17h | - | - | 0.00s | 0.00s | # robin user-cert check | grep -A4 Life Cert Lifespan: 259200 (3 days) Renewal Offset: 6912000 (80 days) Check Interval: 64800 (18 hours) Schedule Enabled: True ========================== LDAP management operations ========================== ------------------ Add an LDAP server ------------------ .. tabs:: .. tab:: CLI Run the following command to add an LDAP server: .. code-block:: text # robin ldap add-server --user-base --group-base --netbios --password ============================= ========================================================= ``name`` Name to assign to the LDAP server ``hostname`` Hostname of the LDAP server ``port`` Port number of the LDAP server ``server_type`` Type of LDAP server. Valid choices are ``OPEN_LDAP`` and ``ACTIVE_DIRECTORY`` ``username`` Username of the user with LDAP server access rights (read permissions minimum) ``search_base`` LDAP search base. For example, ``dc=example,dc=com`` (can also be specified as a domain name, such as 'example.com') ``--user-base `` Base DN to use when searching for users and when constructing a user's dn ``--group-base `` Base DN to use when searching for groups and when constructing a group's dn ``--netbios `` NetBIOS name to use when authenticating users (required when server type is ACTIVE_DIRECTORY) ``--password `` Password for supplied username (for testing only) ============================= ========================================================= **Example 1 (Add an Active Directory LDAP server):** .. code-block:: text # robin ldap add-server ad1 10.9.53.5 389 ACTIVE_DIRECTORY administrator mydomain.com --netbios mydomain Password: Retype password: Successfully added ldap server 'ad1' **Example 2 (Add an Open LDAP server):** .. code-block:: text # robin ldap add-server ldap1 ldap.forumsys.com 389 OPEN_LDAP cn=read-only-admin,dc=example,dc=com dc=example,dc=com Password: Retype password: Successfully added ldap server 'ldap1' .. tab:: API Adds a LDAP server to the Robin cluster. **End Point:** /api/v3/robin_server/ldap-servers/ **Method:** POST **URL Parameters:** None **Data Parameters:** - ``name: `` - This mandatory field within the payload specifies the name to assign to the LDAP server. - ``hostname: `` - This mandatory field within the payload specifies the hostname of the LDAP server. - ``port: `` - This mandatory field within the payload specifies the integer value of the respective port for the LDAP server. - ``server_type: `` - This mandatory field within the payload specifies the type of LDAP server. Valid choices are 'OPEN_LDAP' and 'ACTIVE_DIRECTORY'. - ``username: `` - This mandatory field within the payload specifies the username of the user with LDAP server access rights. Note read permissions are needed at a minimum. - ``password: `` - This mandatory field within the payload specifies the password for the supplied username. - ``search_base: `` - This mandatory field within the payload specifies the LDAP search base. An example would be 'dc=example,dc=com'. Note this value can also be specified as a domain name, such as 'example.com'. - ``user_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in the aforementioned Base DN being used when searching for users and when constructing a user's dn. - ``group_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in the aforementioned Base DN being used when searching for groups and when constructing a group's dn. - ``netbios: `` - Utilizing this parameter within the payload by specifying the name of a NetBIOS, results in the aforementioned NetBIOS being used when authenticating users. Note this parameter is mandatory when the server type is ``ACTIVE_DIRECTORY``. **Port:** RCM Port (default value is 29442) **Headers:** None **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error), 404 (Not Found Error), 400 (Invalid API Usage Error), 409 (Duplicate Resource Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Successfully added ldap server 'ldap1'" } .. raw:: html
--------------------- Remove an LDAP server --------------------- .. tabs:: .. tab:: CLI Run the following command to remove an LDAP server: .. code-block:: text # robin ldap remove-server --yes ========================== ========================================================= ``name`` Name of LDAP server to remove ``--yes`` Do not prompt for confirmation ========================== ========================================================= **Example:** .. code-block:: text # robin ldap remove-server ldap1 Are you sure you want to delete [y/n] ? y Successfully removed ldap server 'ldap1' .. tab:: API Removes a LDAP server from the Robin cluster. **End Point:** /api/v3/robin_server/ldap-servers/ **Method:** DELETE **URL Parameters:** None **Data Parameters:** None **Port:** RCM Port (default value is 29442) **Headers:** None **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 401 (Unauthorized Error), 404 (Not Found Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Successfully removed ldap server 'ldap1'" } .. raw:: html
----------------- List LDAP servers ----------------- .. tabs:: .. tab:: CLI In order to list all the LDAP servers registered with the Robin cluster alongside details such as hostname, port and search base, issue the following command: .. code-block:: text # robin ldap list-servers ================== =============================================================================================================== ``name`` Name to use when referencing the LDAP server. If no name is provided then all LDAP servers will be displayed ================== =============================================================================================================== **Example:** .. code-block:: text # robin ldap list-servers Name | Server Type | Hostname | Port | Username | Search Base | User Base | Group Base | NetBIOS ------+------------------+-------------------+------+--------------------------------------+------------------------+-----------+------------+-------------- ad1 | ACTIVE_DIRECTORY | 10.9.53.5 | 389 | administrator | dc=robinsystems,dc=com | | | ROBINSYSTEMS ldap1 | OPEN_LDAP | ldap.forumsys.com | 389 | cn=read-only-admin,dc=example,dc=com | dc=example,dc=com | | | .. tab:: API Lists all the LDAP servers registered with the Robin cluster alongside details such as hostname, port and search base. **End Point:** /api/v3/robin_server/ldap-servers/ **Method:** GET **URL Parameters:** None **Data Parameters:** None **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "name":"ldap1", "netbios":null, "username":"cn=read-only-admin,dc=example,dc=com", "port":389, "hostname":"ldap.forumsys.com", "password":"", "id":1, "search_base":"dc=example,dc=com", "user_base":null, "group_base":null, "server_type":"OPEN_LDAP" } ] } .. raw:: html
---------------- List LDAP groups ---------------- .. tabs:: .. tab:: CLI In order to list groups within a LDAP server registered with the Robin cluster alongside the members it contains, issue the following command: .. code-block:: text # robin ldap list-groups [] --search-base --ldap-filter --raw --json =============================== ================================================================================================================================================================================== ``ldap_server_name`` Name of LDAP server to query for group info. ``groups`` Comma separated list of LDAP group names. If no group names are provided then all LDAP groups will be displayed. Note: listing of all groups can take a long time to complete ``--search-base `` Base DN for the LDAP group search ``--ldap-filter `` LDAP filter that gets added to the base level group query filter. This option is not valid when group names are supplied on the command line ``--raw`` Return records in raw LDAP format ``--json`` Output in JSON =============================== ================================================================================================================================================================================== **Example:** .. code-block:: text # robin ldap list-groups ldap1 Name | Members ---------------+----------------------------------------------- Mathematicians | euclid,riemann,euler,gauss,test Scientists | einstein,galileo,tesla,newton,training,jmacy Italians | volta Chemists | curie,boyle,nobel,pasteur .. tab:: API Lists groups within a LDAP server registered with the Robin cluster alongside the members it contains. **End Point:** /api/v3/robin_server/ldap-groups/ **Method:** GET **URL Parameters:** None **Data Parameters:** - ``ldap_server_name: `` - This mandatory field within the payload specifies the name of the LDAP server from which to retrieve groups. - ``groups: `` - Utilizing this parameter within the payload by specifying a list of comma seperated group names, results in only information about the given groups being returned. - ``ldap_filter: `` - Utilizing this parameter within the payload by specifying a string representing a LDAP filter, results in the aforementioned filter being added to the base level group query filter. Note this option is not valid if the ``groups`` is also utilized. - ``search_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in it being used as the Base DN for the LDAP group search. - ``raw: true`` - Utilizing this parameter within the payload results in the user records being returned in raw LDAP format. The default value is False. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "name":"Mathematicians", "members":[ [ "user", { "username":"euclid", "distinguished_name":"uid=euclid,dc=example,dc=com", "email_address":null, "object_sid":"ac5dc692-2f67-1033-899a-a53eb149a944", "last_name":"Euclid", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"riemann", "distinguished_name":"uid=riemann,dc=example,dc=com", "email_address":null, "object_sid":"8bd472ea-2f67-1033-8998-a53eb149a944", "last_name":"Riemann", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"euler", "distinguished_name":"uid=euler,dc=example,dc=com", "email_address":null, "object_sid":"2bd3195a-2f67-1033-8994-a53eb149a944", "last_name":"Euler", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"gauss", "distinguished_name":"uid=gauss,dc=example,dc=com", "email_address":null, "object_sid":"629ab718-2f67-1033-8996-a53eb149a944", "last_name":"Gauss", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"test", "distinguished_name":"uid=test,dc=example,dc=com", "email_address":null, "object_sid":"1df9dada-bbe4-1033-8a53-8fb78330d80a", "last_name":"Test", "first_name":"Test", "user_principal_name":null, "display_name":"Test" } ] ] }, { "name":"Scientists", "members":[ [ "user", { "username":"einstein", "distinguished_name":"uid=einstein,dc=example,dc=com", "email_address":null, "object_sid":"29f6dc28-2f64-1033-898b-a53eb149a944", "last_name":"Einstein", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"galieleo", "distinguished_name":"uid=galieleo,dc=example,dc=com", "email_address":null, "object_sid":"b9c53cb4-2f64-1033-898f-a53eb149a944", "last_name":"Galilei", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"tesla", "distinguished_name":"uid=tesla,dc=example,dc=com", "email_address":null, "object_sid":"751b0a76-2f64-1033-898d-a53eb149a944", "last_name":"Tesla", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"newton", "distinguished_name":"uid=newton,dc=example,dc=com", "email_address":null, "object_sid":"050ce4de-2f64-1033-8989-a53eb149a944", "last_name":"Newton", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"training", "distinguished_name":"uid=training,dc=example,dc=com", "email_address":null, "object_sid":"32a324bc-93e3-1036-80e6-176a7c6d2b5d", "last_name":"training", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"jmacy", "distinguished_name":"uid=jmacy,dc=example,dc=com", "email_address":null, "object_sid":"e59260cc-05af-1037-8162-176a7c6d2b5d", "last_name":"training", "first_name":null, "user_principal_name":null, "display_name":null } ] ] }, { "name":"Italians", "members":[ [ "user", { "username":"tesla", "distinguished_name":"uid=tesla,dc=example,dc=com", "email_address":null, "object_sid":"751b0a76-2f64-1033-898d-a53eb149a944", "last_name":"Tesla", "first_name":null, "user_principal_name":null, "display_name":null } ] ] }, { "name":"Chemists", "members":[ [ "user", { "username":"curie", "distinguished_name":"uid=curie,dc=example,dc=com", "email_address":null, "object_sid":"2904419a-6b48-1034-8ad4-8fb78330d80a", "last_name":"Curie", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"boyle", "distinguished_name":"uid=boyle,dc=example,dc=com", "email_address":null, "object_sid":"6f3a5bea-6b48-1034-8ad6-8fb78330d80a", "last_name":"Boyle", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"nobel", "distinguished_name":"uid=nobel,dc=example,dc=com", "email_address":null, "object_sid":"4f351948-6b48-1034-8ad5-8fb78330d80a", "last_name":"Nobel", "first_name":null, "user_principal_name":null, "display_name":null } ], [ "user", { "username":"pasteur", "distinguished_name":"uid=pasteur,dc=example,dc=com", "email_address":null, "object_sid":"a0aa9ed8-6b48-1034-8ad7-8fb78330d80a", "last_name":"Pasteur", "first_name":null, "user_principal_name":null, "display_name":null } ] ] } ] } .. raw:: html
--------------- List LDAP users --------------- .. tabs:: .. tab:: CLI In order to list users within a LDAP server registered with the Robin cluster alongside details such as each users email address, principal name and Object SID, issue the following command: .. code-block:: text # robin ldap list-users [] --search-base --ldap-filter --raw --json =============================== ============================================================= ``ldap_server_name`` Name of LDAP server to query for user info. ``users`` Comma-separated list of LDAP user names. If no user names are provided then all LDAP users will be displayed. Note: listing all users can take a long time to complete ``--search-base `` Base DN for the LDAP user search ``--ldap-filter `` LDAP filter that gets added to the base level user query filter. Note: this option is not valid when user names are supplied on the command line ``--raw`` Return records in raw LDAP format. ``--json`` Output in JSON =============================== ============================================================= **Example:** .. code-block:: text Username | Email Address | User Principal Name | Object SID | DN ----------------+---------------+---------------------+--------------------------------------+-------------------------------------- newton | None | None | 050ce4de-2f64-1033-8989-a53eb149a944 | uid=newton,dc=example,dc=com einstein | None | None | 29f6dc28-2f64-1033-898b-a53eb149a944 | uid=einstein,dc=example,dc=com tesla | None | None | 751b0a76-2f64-1033-898d-a53eb149a944 | uid=tesla,dc=example,dc=com galieleo | None | None | b9c53cb4-2f64-1033-898f-a53eb149a944 | uid=galieleo,dc=example,dc=com euler | None | None | 2bd3195a-2f67-1033-8994-a53eb149a944 | uid=euler,dc=example,dc=com gauss | None | None | 629ab718-2f67-1033-8996-a53eb149a944 | uid=gauss,dc=example,dc=com riemann | None | None | 8bd472ea-2f67-1033-8998-a53eb149a944 | uid=riemann,dc=example,dc=com euclid | None | None | ac5dc692-2f67-1033-899a-a53eb149a944 | uid=euclid,dc=example,dc=com read-only-admin | None | None | 76117660-2f80-1033-899f-a53eb149a944 | cn=read-only-admin,dc=example,dc=com test | None | None | 1df9dada-bbe4-1033-8a53-8fb78330d80a | uid=test,dc=example,dc=com curie | None | None | 2904419a-6b48-1034-8ad4-8fb78330d80a | uid=curie,dc=example,dc=com nobel | None | None | 4f351948-6b48-1034-8ad5-8fb78330d80a | uid=nobel,dc=example,dc=com boyle | None | None | 6f3a5bea-6b48-1034-8ad6-8fb78330d80a | uid=boyle,dc=example,dc=com pasteur | None | None | a0aa9ed8-6b48-1034-8ad7-8fb78330d80a | uid=pasteur,dc=example,dc=com nogroup | None | None | 25229968-6b49-1034-8ad8-8fb78330d80a | uid=nogroup,dc=example,dc=com training | None | None | 32a324bc-93e3-1036-80e6-176a7c6d2b5d | uid=training,dc=example,dc=com jmacy | None | None | e59260cc-05af-1037-8162-176a7c6d2b5d | uid=jmacy,dc=example,dc=com .. tab:: API Lists users within a LDAP server registered with the Robin cluster alongside details such as each users email address, principal name and Object SID. **End Point:** /api/v3/robin_server/ldap-users/ **Method:** GET **URL Parameters:** None **Data Parameters:** - ``ldap_server_name: `` - This mandatory field within the payload specifies the name of the LDAP server from which to retrieve users. - ``ldap_filter: `` - Utilizing this parameter within the payload by specifying a string representing a LDAP filter, results in the aforementioned filter being added to the base level user query filter. - ``search_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in it being used as the Base DN for the LDAP user search. - ``raw: true`` - Utilizing this parameter within the payload results in the user records being returned in raw LDAP format. The default value is False. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "username":"newton", "distinguished_name":"uid=newton,dc=example,dc=com", "email_address":null, "object_sid":"050ce4de-2f64-1033-8989-a53eb149a944", "last_name":"Newton", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"einstein", "distinguished_name":"uid=einstein,dc=example,dc=com", "email_address":null, "object_sid":"29f6dc28-2f64-1033-898b-a53eb149a944", "last_name":"Einstein", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"tesla", "distinguished_name":"uid=tesla,dc=example,dc=com", "email_address":null, "object_sid":"751b0a76-2f64-1033-898d-a53eb149a944", "last_name":"Tesla", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"galieleo", "distinguished_name":"uid=galieleo,dc=example,dc=com", "email_address":null, "object_sid":"b9c53cb4-2f64-1033-898f-a53eb149a944", "last_name":"Galilei", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"euler", "distinguished_name":"uid=euler,dc=example,dc=com", "email_address":null, "object_sid":"2bd3195a-2f67-1033-8994-a53eb149a944", "last_name":"Euler", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"gauss", "distinguished_name":"uid=gauss,dc=example,dc=com", "email_address":null, "object_sid":"629ab718-2f67-1033-8996-a53eb149a944", "last_name":"Gauss", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"riemann", "distinguished_name":"uid=riemann,dc=example,dc=com", "email_address":null, "object_sid":"8bd472ea-2f67-1033-8998-a53eb149a944", "last_name":"Riemann", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"euclid", "distinguished_name":"uid=euclid,dc=example,dc=com", "email_address":null, "object_sid":"ac5dc692-2f67-1033-899a-a53eb149a944", "last_name":"Euclid", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"read-only-admin", "distinguished_name":"cn=read-only-admin,dc=example,dc=com", "email_address":null, "object_sid":"76117660-2f80-1033-899f-a53eb149a944", "last_name":"Read Only Admin", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"test", "distinguished_name":"uid=test,dc=example,dc=com", "email_address":null, "object_sid":"1df9dada-bbe4-1033-8a53-8fb78330d80a", "last_name":"Test", "first_name":"Test", "user_principal_name":null, "display_name":"Test" }, { "username":"curie", "distinguished_name":"uid=curie,dc=example,dc=com", "email_address":null, "object_sid":"2904419a-6b48-1034-8ad4-8fb78330d80a", "last_name":"Curie", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"nobel", "distinguished_name":"uid=nobel,dc=example,dc=com", "email_address":null, "object_sid":"4f351948-6b48-1034-8ad5-8fb78330d80a", "last_name":"Nobel", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"boyle", "distinguished_name":"uid=boyle,dc=example,dc=com", "email_address":null, "object_sid":"6f3a5bea-6b48-1034-8ad6-8fb78330d80a", "last_name":"Boyle", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"pasteur", "distinguished_name":"uid=pasteur,dc=example,dc=com", "email_address":null, "object_sid":"a0aa9ed8-6b48-1034-8ad7-8fb78330d80a", "last_name":"Pasteur", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"nogroup", "distinguished_name":"uid=nogroup,dc=example,dc=com", "email_address":null, "object_sid":"25229968-6b49-1034-8ad8-8fb78330d80a", "last_name":"Group", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"training", "distinguished_name":"uid=training,dc=example,dc=com", "email_address":null, "object_sid":"32a324bc-93e3-1036-80e6-176a7c6d2b5d", "last_name":"training", "first_name":null, "user_principal_name":null, "display_name":null }, { "username":"jmacy", "distinguished_name":"uid=jmacy,dc=example,dc=com", "email_address":null, "object_sid":"e59260cc-05af-1037-8162-176a7c6d2b5d", "last_name":"training", "first_name":null, "user_principal_name":null, "display_name":null } ] } .. raw:: html
----------------- Import LDAP users ----------------- .. tabs:: .. tab:: CLI Run the following command to import one or more LDAP users: .. code-block:: text # robin ldap import-users [] --search-base =============================== ============================================================= ``ldap_server_name`` Name of LDAP server to query for user info. ``users`` Comma separated list of LDAP users to import. ``tenant`` Tenant that all imported users will be made a member of ``tenant_role`` User role for the tenant assigned to each imported user ``user_capabilities`` Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If it's desired that no capabilities be granted to the user then specify 'NoCapabilities' on the command line ``--search-base `` Base DN for the LDAP user search =============================== ============================================================= .. note:: To view a list of all user capabilities review the section detailed `here `_. **Example:** .. code-block:: text # robin ldap import-users ldap1 newton,einstein,tesla t1 user Successfully added multiple users: newton,einstein,tesla .. tab:: API Imports one or more LDAP users into the Robin cluster. **End Point:** /api/v3/robin_server/users/ **Method:** POST **URL Parameters:** None **Data Parameters:** - ``user_list: `` -- This mandatory parameter within the payload is a comma seperated list of dictionaries (with the keys given below) and results in the specified users being added. - ``username: `` - This mandatory field within each dictionary specifies the name of the user. - ``authentication_type: 2`` - This mandatory field within each dictionary specifies that the authentication type is LDAP. - ``ldap_server: `` - This mandatory field within each dictionary specifies the name of LDAP server to query for user info. - ``tenant_list: `` - This mandatory field within each dictionary is a list containing one dictionary with the keys ``tenant`` (for the tenant to place the user in) and ``tenant_role`` (for the role the user should assume within the tenant). - ``user_capabilities: `` - Utilizing this parameter within each dictionary, by specifying a comma seperated list of capabilities, results in the aforementioned capabilties being assigned to the newly added user. Note if this parameter is not used, then full capabilities for the specified role will be assigned to the user. If it's desired that no capabilities be granted to the user then specify 'NoCapabilities' within the list. - ``search_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in it being used as the Base DN for the LDAP user search. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"\nSuccessfully added multiple users: newton,einstein,tesla\n" } .. raw:: html
----------------- Import LDAP group ----------------- .. tabs:: .. tab:: CLI Run the following command to import all members of an LDAP group: .. code-block:: text # robin ldap import-group [] --exclude-users --search-base ==================================== ============================================================= ``ldap_server_name`` Name of LDAP server to query for group info. ``group`` Name of the LDAP group to import users from ``tenant`` Tenant that all imported users will be made a member of ``tenant_role`` User role for the tenant assigned to each imported user ``user_capabilities`` Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If it's desired that no capabilities be granted to the user then specify 'NoCapabilities' on the command line ``--exclude-users `` Comma separated list of users to exclude from importation ``--search-base `` Base DN for the LDAP group search ==================================== ============================================================= .. note:: To view a list of all user capabilities review the section detailed `here `_. **Example:** .. code-block:: text # robin ldap import-group ldap1 Italians t1 user Imported LDAP users: volta .. tab:: API Imports all members of an LDAP group into the Robin cluster. **End Point:** /api/v3/robin_server/ldap-groups/ **Method:** PUT **URL Parameters:** None **Data Parameters:** - ``action: import`` - This mandatory field within the payload specifies that the import action should be performed. - ``group_name: `` - This mandatory field within the payload specifies the name of the LDAP group to import users from. - ``tenant: `` - This mandatory field within the payload specifies the tenant that all imported users will be made a member of. - ``tenant_role: `` - This mandatory field within the payload specifies the user role for the tenant assigned to each imported user. - ``ldap_server: ldap_server`` - This mandatory field within the payload specifies the name of LDAP server to query for group info. - ``user_capabilities: `` - Utilizing this parameter within the payload, by specifying a comma seperated list of capabilities, results in the aforementioned capabilties being assigned to each newly added user. Note if this parameter is not used, then full capabilities for the specified role will be assigned to each user. If it's desired that no capabilities be granted to each user then specify 'NoCapabilities' within the list. - ``excluded_users: `` - Utilizing this parameter within the payload, by specifying a comma seperated list of usernames, results in the aforementioned users not being imported. - ``search_base: `` - Utilizing this parameter within the payload by specifying a string representing a Base DN, results in it being used as the Base DN for the LDAP group search. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Imported LDAP users: volta" } .. raw:: html
-------------------- List LDAP Attributes -------------------- .. tabs:: .. tab:: CLI Run the following command to list LDAP attributes: .. code-block:: text # robin ldap list-attributes --server-type --object-type =============================== ============================================================= ``--server-type `` Filter results based on LDAP server type. Valid choices are 'OPEN_LDAP' and 'ACTIVE_DIRECTORY' ``--object_type `` Filter results based on LDAP object type. Valid choices are 'user' and 'group' =============================== ============================================================= **Example 1 (List all attributes for server type OPEN_LDAP):** .. code-block:: text # robin ldap list-attributes --server-type OPEN_LDAP Server Type | Object Type | Attribute Name | Custom | Value ------------+-------------+---------------------+--------+----------------------------------------------------------- OPEN_LDAP | | distinguished_name | | entryDN OPEN_LDAP | | object_class | | objectClass OPEN_LDAP | group | class_list | | ['posixGroup', 'groupOfNames', 'groupOfUniqueNames'] OPEN_LDAP | group | distinguished_name | | entryDN OPEN_LDAP | group | group_name | | cn OPEN_LDAP | group | members | | ['uniqueMember', 'member'] OPEN_LDAP | group | object_class | | objectClass OPEN_LDAP | group | object_sid | | objectSid OPEN_LDAP | user | class_list | | ['posixAccount', 'inetOrgPerson', 'organizationalPerson'] OPEN_LDAP | user | display_name | | displayName OPEN_LDAP | user | distinguished_name | | entryDN OPEN_LDAP | user | email_address | | emailAddress OPEN_LDAP | user | first_name | | givenName OPEN_LDAP | user | last_name | | sn OPEN_LDAP | user | object_class | | objectClass OPEN_LDAP | user | object_sid | | entryUUID OPEN_LDAP | user | user_principal_name | | userPrincipalName OPEN_LDAP | user | username | | ['uid', 'cn'] .. tab:: API Lists attributes for LDAP servers alongside their associated values, object type and server type. **End Point:** /api/v3/robin_server/ldap-attributes/ **Method:** GET **URL Parameters:** None **Data Parameters:** - ``server_type: `` - Utilizing this parameter within the payload by specifying a string representing a server type, results in the response being filtered by the given LDAP server type. Valid choices for this attribute include: 'OPEN_LDAP' and 'ACTIVE_DIRECTORY'. - ``object_type: `` - Utilizing this parameter within the payload by specifying a string representing a object type, results in the response being filtered by the given LDAP object type. Valid choices for this attribute include: 'user' and 'group'. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "items":[ { "custom":false, "attribute_name":"distinguished_name", "value":"distinguishedName", "object_type":"", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"class_list", "value":[ "group", "groupOfNames" ], "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"distinguished_name", "value":"distinguishedName", "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"group_name", "value":"name", "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"members", "value":[ "member" ], "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"object_sid", "value":"objectSid", "object_type":"group", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"class_list", "value":[ "person", "organizationalPerson", "user" ], "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"display_name", "value":"displayName", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"distinguished_name", "value":"distinguishedName", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"email_address", "value":"mail", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"first_name", "value":"givenName", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"last_name", "value":"sn", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"object_sid", "value":"objectSid", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"user_principal_name", "value":"userPrincipalName", "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"username", "value":[ "sAMAccountName" ], "object_type":"user", "server_type":"ACTIVE_DIRECTORY" }, { "custom":false, "attribute_name":"distinguished_name", "value":"entryDN", "object_type":"", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"class_list", "value":[ "posixGroup", "groupOfNames", "groupOfUniqueNames" ], "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"distinguished_name", "value":"entryDN", "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"group_name", "value":"cn", "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"members", "value":[ "uniqueMember", "member" ], "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"object_sid", "value":"objectSid", "object_type":"group", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"class_list", "value":[ "posixAccount", "inetOrgPerson", "organizationalPerson" ], "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"display_name", "value":"displayName", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"distinguished_name", "value":"entryDN", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"email_address", "value":"emailAddress", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"first_name", "value":"givenName", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"last_name", "value":"sn", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"object_class", "value":"objectClass", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"object_sid", "value":"entryUUID", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"user_principal_name", "value":"userPrincipalName", "object_type":"user", "server_type":"OPEN_LDAP" }, { "custom":false, "attribute_name":"username", "value":[ "uid", "cn" ], "object_type":"user", "server_type":"OPEN_LDAP" } ] } .. raw:: html
--------------------- Update LDAP Attribute --------------------- .. tabs:: .. tab:: CLI Run the following command to update an LDAP attribute: .. code-block:: text # robin ldap update-attribute ==================== ============================================================= ``server_type`` LDAP server type. Valid choices are 'ACTIVE_DIRECTORY' and 'OPEN_LDAP' ``object_type`` LDAP object type. Valid choices are 'user', 'group', and 'none' ``attribute_name`` LDAP attribute name ``value`` LDAP attribute value ==================== ============================================================= **Example:** .. code-block:: text # robin ldap update-attribute OPEN_LDAP group members member,uniqueMember Successfully updated one or more LDAP attributes .. Note:: An LDAP attribute can apply globally (for a given server type) or it can apply to a particular object type (``user`` or ``group``). When updating a global attribute, specify ``none`` for object type. .. tab:: API Updates an LDAP attribute to a given value. **End Point:** /api/v3/robin_server/ldap-attributes/ **Method:** POST **URL Parameters:** None **Data Parameters:** - ``server_type: `` - This mandatory field within the payload specifies the type of LDAP server. Valid choices are 'OPEN_LDAP' and 'ACTIVE_DIRECTORY'. - ``object_type: `` - This mandatory field within the payload specifies the object type of the attribute to update. Valid choices are 'user', 'group', and 'none'. Note, 'none' should be specified when updating a global attribute. - ``attribute_name: `` - This mandatory field within the payload specifies the name of the attribute to update. - ``value: `` - This mandatory field within the payload specifies the value to be set for the aforementioned attribute. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Successfully updated one or more LDAP attributes\n" } .. raw:: html
-------------------- Reset LDAP Attribute -------------------- .. tabs:: .. tab:: CLI Run the following command to reset an LDAP attribute to its default value: .. code-block:: text # robin ldap reset-attribute ==================== ============================================================= ``server_type`` LDAP server type. Valid choices are 'ACTIVE_DIRECTORY' and 'OPEN_LDAP' ``object_type`` LDAP object type. Valid choices are 'user', 'group', and 'none' ``attribute_name`` LDAP attribute name ==================== ============================================================= **Example:** .. code-block:: text # robin ldap reset-attribute OPEN_LDAP group members Reset LDAP attribute 'OPEN_LDAP:group:members' .. Note:: An LDAP attribute can apply globally (for a given server type) or it can apply to a particular object type (``user`` or ``group``). When resetting a global attribute, specify ``none`` for object type. .. tab:: API Resets an LDAP attribute to its default value. **End Point:** /api/v3/robin_server/ldap-attributes/ **Method:** DELETE **URL Parameters:** None **Data Parameters:** - ``server_type: `` - This mandatory field within the payload specifies the type of LDAP server. Valid choices are 'OPEN_LDAP' and 'ACTIVE_DIRECTORY'. - ``object_type: `` - This mandatory field within the payload specifies the object type of the attribute to reset. Valid choices are 'user', 'group', and 'none'. Note, 'none' should be specified when resetting a global attribute. - ``attribute_name: `` - This mandatory field within the payload specifies the name of the attribute to reset. **Port:** RCM Port (default value is 29442) **Headers:** - ``Authorization: `` : Authorization token to identify which user is sending the request. The token can be acquired from the login API. **Success Response Code:** 200 **Error Response Code:** 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error) **Example Response:** .. raw:: html
Output .. code-block:: text { "message":"Reset LDAP attribute 'OPEN_LDAP:group:members'\n" } .. raw:: html