7. User Management¶
This section provides an overview of user management on a Robin Platform cluster and the underlying Kubernetes cluster.
Topics covered in this chapter:
|
Add a new user to the Robin cluster |
|
Update a user’s attributes |
|
Remove a user from the Robin cluster |
|
List Robin cluster users |
|
Log into the Robin cluster |
|
Change the password for the current Robin user |
|
Change the tenant for the current user |
|
Change the role a user has for specified tenant |
|
List details about user capabilities that can be assigned to users |
|
Add a custom user capability |
|
Remove a custom user capability |
|
Update one or more attributes for a custom user capabiilty |
|
Add one or more capability entries to a custom user capability |
|
Remove one or more capability entries from a custom user capability |
|
Add one or more capability providers to a custom user capability |
|
Remove one or more capability providers from a custom user capability |
|
List operations that can be shared with users for various sharable objects |
|
Add an LDAP server |
|
Remove an LDAP server |
|
List named LDAP server or all LDAP servers |
|
List one or more LDAP groups |
|
List one or more LDAP users |
|
Import one or more LDAP users |
|
Import members of a LDAP group |
|
List LDAP attributes |
|
Update an LDAP attribute |
|
Reset an LDAP attribute to its default value |
|
List one or more OpenShift users or all OpenShift users |
|
List one or more OpenShift groups or all OpenShift groups |
|
Import one or more OpenShift users |
|
Import all users from an OpenShift groups |
7.1. Kubernetes user management¶
Note
Details on Kubernetes user management are provided for information purposes only. The Robin handles all interaction between Robin Server and the Kubernetes API Server on behalf of all Robin Platform users.
Kubernetes clusters support two categories of users: service accounts, and normal users (users). Service accounts are managed by the Kubernetes cluster. But Kubernetes doesn’t have a mechanism for managing users. In fact, it doesn’t even contain an object that represents a user, and there is no way for a user to log into a Kubernetes cluster. In a Kubernetes cluster, user management is off-loaded to an external facility or auth provider.
Namespaces
Kubernetes provides a construct, called ‘namespace’, which allows a cluster to be partitioned into multiple “virtual clusters”. Names for resources deployed in a namespace must be unique, but that restriction does not apply across namespaces. In addition to isolating application resources, namespaces also provide a way to isolate groups of users and apportion cluster resources to those groups.
Usernames
In a Kubernetes cluster, each user is identified by a unique username and possibly one or more affiliated group names. Kubernetes maps (binds) the username and affiliated group names to roles that define which resources can be accessed and which operations can be performed on those resources. These role bindings can apply to a specific namespace or they can apply across the entire cluster (namespaced roles bindings cannot reference more than one namespace).
There are no hard and fast rules regarding what form a Kubernetes username may take. It may be a user’s email address that they use when authenticating themselves with an authentication provider. Or it may be an arbitrary name that is encoded in an externally generated TLS certificate. Whatever username is specified, it needs to map to role bindings that provide full access to the namespace where the user’s applications are deployed (this should already be the case if the user used Helm or an operator to deploy their application). It is beyond the scope of this document to determine how Kubernetes users should be managed. The following command can be used, however, to ensure that a username is mapped to a role with adequate permissions for a specific namespace:
# kubectl create rolebinding <role_binding_name> --clusterrole=edit --user=<username> -n=<namespace>
Authentication and authorization
Each time a user issues a kubectl or helm command, their credentials (bearer token, TLS certificate, username/password, etc.) are sent on their behalf to the Kubernetes API server. There, the API server performs a user authentication check and if the user is authenticated, the user’s username and group names are matched against role bindings, to determine if the user is authorized to perform the requested operation. If the user is not authenticated, or the user does not have adequate permissions to perform the operation, then an error will be returned.
7.2. Robin user management¶
Robin includes a robust user management system with Role Based Access Control (RBAC) that allows fine grain control of what operations each user is able to perform and which resources they are able to access. Robin also manages all interactions with the Kubernetes API Server on behalf of all Robin users.
Users
Each person accessing a Robin cluster should do so using their own user account. The user account contains a username and Id that uniquely identifies the user within the cluster. All objects created by the user (e.g., applications) will be tagged with the user’s Id. The user account also contains key attributes about the user, such as first and last name, email address, phone number, etc., and provides a means for authenticating the user when they log into the cluster.
Tenants
Tenants are a Robin construct that allows users to be organized into discrete groups based on function or business requirements. A user can be a member of multiple tenants, but each user is only able to access resources that are bound to the tenant they are currently logged into (e.g., a user would not be able to access an application they deployed when they were logged into a different tenant).
User roles
Each Robin user is assigned a role for each tenant they are a member of. The role determines which capabilities the user has and which objects they are able to access. Users who are assigned to multiple tenants can have a different role for each tenant they are a member of. Currently there are three roles that can be assigned to a user:
superadmin – A user assigned the superadmin role has full access to all cluster objects and resources (including those bound to individual tenants), and is able to perform all administrative functions in the Robin cluster, such as adding users to the cluster, registering and sharing storage repositories, exporting/importing application backups, etc. Note that the superadmin role can only be assigned to a member of the Administrators tenant.
tenantadmin – A user assigned the tenantadmin role has many of the same permissions as user with the superadmin role. But their scope is limited to a particular tenant which they are a member of. A tenantadmin user is able to view all resources bound to their respective tenant, can register and share storage repositories, export/import application backups, etc.
user – A user assigned the user role has no cluster admin capabilities and is, generally speaking, limited to managing the applications they have deployed or registered.
Authentication and authorization
Every command issued using the Robin CLI results in a request being sent to the Robin Server. Before acting on the request, a check is made to ensure that the user making the request is authenticated and that they are authorized to perform the requested action on the specified object type.
Each request sent to the Robin Server contains a token that includes the username of the user, the tenant they are currently logged into, and an expiration timestamp. If the token is invalid (malformed) or it has expired, then the request will be denied. If the user is authenticated, then an authorization check is performed.
The first phase of the authorization check ensures that the user has adequate permissions to access the request method. The user needs to have the view permission for the specified object type when making a call to GET, the create permission when making a call to POST, the modify permission when making a call to PUT, and the delete permission when making a call to DELETE. For example, if the user issued the following Robin CLI command:
robin app list
then a check will be made to ensure the user has permission to view objects of type APPLICATION.
When making a request to modify specific object instances, an additional check may be made to see if the user has permission to perform the specified action. For example, when a user issues a command to stop an application instance, before the action is taken a check is made to ensure the user has permission to perform the stop action on objects of type APPLICATION.
If the action the user wishes to perform will be applied to an actual object instance (which would normally be the case when making a request to modify or delete an object), then an additional check will be performed to ensure that the user is able to access the referenced object. Access to the object will be granted if one of the following conditions is met:
The user created and owns the object instance
The user has been assigned the tenantadmin role for the tenant the object is bound to, and they are logged into that tenant.
The user has been assigned the superadmin role, and they are logged into the Administrators tenant
The object type supports sharing and it has explicitly been shared with the user (for the requested action) or it has been shared with the user’s tenant (for the requested action).
Note that not all object types support additional actions beyond the standard permissions: view, create, update, and delete.
User capabilities
In addition to being assigned a role when they are added to a tenant, users are also assigned one or more User Capabilities. User capabilities are groupings of permissions that map individual object types to specific operations. As was outlined above, each object type has four permission mappings that map to standard API endpoint methods, GET, POST, PUT, and DELETE (view, create, update, and delete respectively). Additional permission mappings are provided that allow for a more granular level of access control. These additional mappings all extend the update permission, which controls the modification of existing objects. All object update operations for an object type are handled by its PUT method.
Object permission mappings are hierarchical in nature. For example, before you can start or stop an application, you first must be able to access (view) the application. Including the view, update, start, and stop permission mappings in the same user capability would be one way to accomplish this. Doing so would impose some significant limitations, however. It would make it nearly impossible to allow one set of users to have full access to apps and another to have view only capabilities.
To allow for a higher degree of flexibility, user capabilities
support the concept of inheritance. A user capability only needs to
include permission mappings that make sense for the stated purpose of
the user capability (e.g., Manage Applications). Dependent
permission mappings defined in other user capabilities are included
in the capability’s list of providers. Below is an example of how
this works. The ManageApplications
user capability inherits
various user capabilities (providers) such as ViewApplications
,
ViewBackups
, ViewInstances
, etc. It also defines permission
mappings that pertain specifically to the management of application
objects.
{
"id":3,
"name":"ManageApplications",
"capability_group":"Application",
"description":"Manage Applications"
"hidden":false,
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
],
"providers":[
"ViewApplications",
"ViewBackups",
"ViewInstances",
"ManageInstances",
"ViewDocker",
"ViewTags",
"ViewResourcePools",
"ViewBundles",
"ViewImages",
"ViewConfig",
"ViewEvents",
"ViewNetworking",
"ViewNodes",
"ViewJobs",
"ViewZones",
"ViewStorageArray",
"ViewNFSExports"
],
"capability_entries":[
{
"object_type":"APPLICATION",
"operation":"add_repo"
},
{
"object_type":"APPLICATION",
"operation":"addkey"
},
{
"object_type":"APPLICATION",
"operation":"addtrigger"
},
{
"object_type":"APPLICATION",
"operation":"addvol"
},
{
"object_type":"APPLICATION",
"operation":"computeqos"
},
{
"object_type":"APPLICATION",
"operation":"config"
},
{
"object_type":"APPLICATION",
"operation":"deltrigger"
},
{
"object_type":"APPLICATION",
"operation":"delvol"
},
{
"object_type":"APPLICATION",
"operation":"expandvol"
},
{
"object_type":"APPLICATION",
"operation":"hydrate"
},
{
"object_type":"APPLICATION",
"operation":"moveresources"
},
{
"object_type":"APPLICATION",
"operation":"probe"
},
{
"object_type":"APPLICATION",
"operation":"redeploy"
},
{
"object_type":"APPLICATION",
"operation":"register"
},
{
"object_type":"APPLICATION",
"operation":"remove_repo"
},
{
"object_type":"APPLICATION",
"operation":"restart"
},
{
"object_type":"APPLICATION",
"operation":"rollback"
},
{
"object_type":"APPLICATION",
"operation":"run_hook"
},
{
"object_type":"APPLICATION",
"operation":"scale"
},
{
"object_type":"APPLICATION",
"operation":"setreslimits"
},
{
"object_type":"APPLICATION",
"operation":"start"
},
{
"object_type":"APPLICATION",
"operation":"stop"
},
{
"object_type":"APPLICATION",
"operation":"storageqos"
},
{
"object_type":"APPLICATION",
"operation":"unregister"
},
{
"object_type":"APPLICATION",
"operation":"update"
},
{
"object_type":"APPLICATION",
"operation":"update_hpa"
},
{
"object_type":"APPLICATION",
"operation":"upgrade"
},
{
"object_type":"SNAPSHOT",
"operation":"update"
}
]
}
Note
Each user capability contains a list of the user roles it can be use with.
There are certain, special user capabilities that contain all of
the permission mappings (including those provided via inheritance)
needed for each user role. These are AllUserCapabilities
,
AllTenantAdminCapabilities
, and AllSuperAdminCapabilities
.
User permissions
Each user that logs into a Robin cluster has a set of permission mappings that determine which operations they can perform on which object types. The set of permission mappings is determined by which user capabilities have been assigned to the user for the tenant they are currently logged into (users have a different set of permission mappings for each tenant they are a member of). A user’s current permissions are the set of all permission mappings assigned to the user based on their assigned user capabilities, plus those from all inherited capabilities.
Note
If multiple user capabilities assigned to a user inherit the same user capability, only one set of the inherited permission mappings will be assigned to the user.
Custom user capabilities
Robin provides a wide range of user capabilities that address the needs of users at various levels (cluster administrators, tenant administrators, and regular users). By default, each user when added to a tenant, will be assigned one of the following user capabilities, based on their assigned tenant role:
superadmin –
AllSuperAdminCapabilities
tenantadmin –
AllTenantAdminCapabilities
user –
AllUserCapabilities
Each of the above user capabilities provides the user with a full set of permissions appropriate for the role they have been assigned. It does this by including all relevant user capabilities in the provider list of the assigned capability. Cluster administrators can remove select capabilities from a user. They cannot, however, add or remove individual permissions. Nor are they able to give a user a specific set of permissions. If there is a need for this, then a custom user capability might be the way to go.
Custom user capabilities give cluster administrators the ability to give a user only those permissions needed for a particular use case. The permission mappings can be specified in a number of ways:
By including user capabilities that provide the desired permission mappings in the custom capability’s providers list.
By including individual permission mappings in the custom capability’s capability entries list.
By employing a combination of providers and capability entries.
When creating a custom user capability, you need to specify which
user roles the capability can be used with. For example, a custom
capability that focuses on cluster infrastructure probably should be
limited in scope to users having the superadmin
role. Use the
following command to see which of the current user capabilities
(including custom capabilities) might provide the desired set of
permissions (or a sub-set of this list).
robin capabilities list-options --full
You can narrow the output by including the --group
command line
option, or you can specify specific user capabilities on the command
line. When specifying capability entries on the command line, they
should be of the following format:
<object_type>:<operation>
Once you have created a custom user capability, you can assign it to
users when adding them to the cluster or to a tenant. You would do
this by including the custom capability on the command line when
using the Robin CLI to issue a robin user add
or robin tenant
add-users
command. Note that if no user capabilities are specified,
then one of the role specific default capabilities specified above
will be assigned.
Strictly speaking, a custom user capability is not the same thing as
a custom user role. It can, however, be deployed in such a way as to
provide functionality people think of when they think of custom
roles. Robin does not allow the creation of custom tenant roles
because tenant roles are very specifically focused on controlling a
user’s access level for object types they have permission to
access (granted by their assigned user capabilities). For example, a
regular user (one who has been assigned the user
role) may have
permission to view applications (because they have been assigned the
ViewApplications
user capability), but the access level imposed
by their role (user
) prevents them from viewing applications they
didn’t create (don’t own). If you want to prevent a user from viewing
all applications, you need to remove those capabilities giving them
view
permission on APPLICATION
objects. Accomplishing this
may not be as straight forward as you might think. That’s because of
the loosely hierarchical nature of user capabilities. By design, each
user capability includes all of the user capabilities it is dependent
on in its providers list (e.g., the ManageApplications
capability
includes the ViewApplications
capability). This makes it hard to
remove specific permission mappings (the ViewApplications
capability may be imported by multiple user capabilities). This is not
an issue with a custom user capability. If there are a desired set of
permissions you wish to give to a user (or group of users) then it’s
just a matter of creating a custom capability and including the
permission mappings in the capability entries list.
Once created, custom user capabilities can be assigned to users, just like the capabilities provided by Robin. If a custom user capability is assigned to multiple users, then any change to the capability will be reflected in the permissions for each of the assigned user.
Note
Please refer to the previous section that provides details about user capabilities. When creating a custom user capability, describes what a user capability is.
Care should be taken when creating custom user capabilities as they may prevent or impede access to the Robin UI.
A user capability group is not specified when creating a custom
user capability as they are all assigned to the Custom
capability group.
Object sharing
As was outlined above, Robin RBAC control prevents users from
accessing objects they do not have permission to access. For example,
a regular user (a user assigned the role of user
) will only be
able to view and manage objects (applications, snapshots, backups,
etc.) they create and own. Other users, even those in the same
tenant, will not be able to see the objects, let alone perform any
operations on them. There are restrictions on which objects a Tenant
Administrator can access as well. Tenant Administrators have
permission to view all objects created by all users in their tenant,
however they are not able to access objects created by users from
other tenants. Cluster Administrators, however, are able to access
all objects created by all users in all tenants, but only when they
are logged into the Administrators tenant.
There are times when it might be desirable to share an object with one or more users in a tenant. It also might be desirable for certain objects to be shared with users in multiple tenants. The Robin platform contains a mechanisim for sharing certain objects with multiple tenants and users.
The extent to which a particular object can be shared depends on what type of object it is. For example, it makes sense for bundles or application backups to be shared with users in multiple tenants, because these objects do not contain any context that is bound to a single tenant. The same can not be said for an application, however, which has a context which is bound to a tenant.
When sharing certain objects with a tenant, all members of the tenant automatically get full access to the object (e.g., all members of a tenant will be able to create applications from a shared Bundle). For other object types, sharing them with a tenant only allows the object to be shared with tenant users. It’s up to a cluster or tenant administrator to provide users with access.
Only a Cluster Administrators can share an object with a tenant other than the one it is bound to. Once an object has been shared with a tenant, however, administrators of the tenant can then share the object with members of the tenant (assuming the object supports user sharing). Following are a list of objects that can be shared with tenants:
Storage Repos
Application Backups
Following is a list of objects that can be shared with tenant users:
Storage Repos
Applications
Application Backups
Application Snapshots
Namespaces
Note
By default, when a Cluster Administrator shares an object with a
tenant, administrators of the tenant will not be able to share the
object with members of their tenant. This, and other capabilities
can be extended to all administrators of the tenant when the
object is shared. Use the robin object-share list-options
command to output a list of sharable objects, showing which
operations can be assigned when sharing with tenants and users.
A Tenant Administrator can share all objects bound to (owned by) their tenant with their tenant users without restriction. This includes objects that are sharable across tenants (application backups and storage repos).
User administration
Before a user can begin to use Robin storage, they need to log into Robin using the Robin CLI utility. Before they can do that, they need a user account. Robin user accounts are created by the cluster administrator (a user having the superadmin role). The following information needs to be supplied when creating a user account:
username (must be unique within the Robin cluster)
role (
superadmin
,tenantadmin
, oruser
)initial password
Robin will generate a TLS certificate for each user added to the cluster. The certificate includes the user’s username. Robin Platform will pass this certificate to the Kubernetes API server any time it makes a call on the user’s behalf. Note that role bindings with adequate permissions to manage applications in the user’s assigned namespace (bound to the user’s Kubernetes username and/or group names) will automatically be created.
Before a user can make use of the Robin CLI, they must first authenticate themselves to the Robin cluster. They do this by issuing the following command:
# robin login <username>
which prompts the user to enter their password. Upon a successful login, a token is returned that identifies the user, the tenant they are currently logged into, and their current namespace. This token is stashed in the user’s home directory, to be used with each successive commands issued by the user.
7.3. LDAP user authentication¶
A Robin user is required to provide their username and password when logging into a Robin cluster. The Robin Server uses this username and password to perform an authentication check. By default, user authentication is performed by Robin directly. For environments where user accounts are maintained on a centralized LDAP server, Robin allows users to be configured so that their authentication is handled by the LDAP server.
Robin supports the following LDAP server types:
Active Directory
OpenLDAP
7.3.1. Adding an LDAP server to a Robin cluster¶
Before users can be configured for LDAP authentication, the LDAP server needs to be added to the Robin cluster.
The following information is required when adding an LDAP server:
name – The name that will identify the LDAP server within the Robin cluster
hostname – The IP address or hostname where the LDAP server is running
port – The port number to use when connecting to the server
server_type –
OPEN_LDAP
orACTIVE_DIRECTORY
username – The username of an LDAP user that has full access rights
search_base – The search base defines the starting point for the search in the directory tree
netbios – Normally, the netbios is the domainname minus the suffix (e.g., domainname instead of domainname.com). Before adding the LDAP server to a Robin cluster, obtain the NETBIOS from the LDAP server. Note that netbios is only required when server_type is ACTIVE_DIRECTORY.
The following example shows how an Active Directory LDAP server is added to a Robin cluster:
# robin ldap add-server ad1 10.9.53.5 389 ACTIVE_DIRECTORY administrator mydomain.com --netbios mydomain
Note
An LDAP Directory Tree can be structured in multiple ways, which can effect where users and groups are located. Robin provides options for specifying the global search base, as well as search bases for users and groups, when adding an LDAP server. Additionally, each of the RobinLDAP commands allows for a custom search base to be specified.
In addition, the names of attribues in user and group entries can differ, depending on the type of LDAP server (
ACTIVE_DIRECTORY
orOPEN_LDAP
) and how it’s configured. Robin provides CLI commands for listing and updating the attribute names used internally when accessing a user’s username, first and last name, email address, or when accessing group members, etc.
7.3.2. Adding users with LDAP authentication¶
When adding a user to a Robin cluster, the user can be configured so
that authentication checks go through an external LDAP server. When
using the Robin CLI to add the user, include the --ldap
and
--ldap-server <ldap_server_name>
flags on the command line. The
command to add a user should look something like this:
# robin user add user1 tenant1 user --ldap --ldap-server ldap1
Note
If the user’s LDAP username contains characters that are not
allowed in a Robin cluster (valid characters include a-z
,
A-Z
, 0-9
, .
, -
, and _
) , then the user’s
distinguished name (DN) should be specified. When the user logs
into the Robin cluster, their DN will be sent to the LDAP server
for validation instead of their username.
7.3.3. Searching for LDAP users¶
The Robin CLI includes commands to get a listing of users and user groups from an LDAP server. The users returned from these queries can then be imported into the Robin cluster. When importing an LDAP user, an account for the user will be created in the Robin cluster.
# robin ldap list-users ldap1
Username | Email Address | User Principal Name | Object SID
---------+---------------+---------------------+--------------------------------------
user1 | None | None | 050ce4de-2f64-1033-8989-a53eb149a944
user2 | None | None | 29f6dc28-2f64-1033-898b-a53eb149a944
Note
There is no direct link between a user’s account in a Robin cluster and their account on the LDAP server. other than as a means for authenticating the user during login.
On a very large installation, user queries can take a long time when sending the request to an LDAP server with a large directory.
7.3.4. Importing LDAP users¶
Importing an LDAP user is similar to adding a Robin user. The tenant the user will be added to and their role in that tenant must be specified. When importing an LDAP user, a validation check will be performed, to ensure the user exists in the server’s directory.
# robin ldap import-users ldap1 user1 tenant1 user
7.3.5. Importing members of an LDAP group¶
All members of an LDAP group can be imported in a single operation. Note that all users will be added to the same tenant with the same tenant role and (optionally) custom user capabilities. Key user attributes, such as full name, email address, etc. will be imported along with the user’s username.
# robin ldap import-group ldap1 ldap_group tenant1 user
7.4. OpenShift user authentication¶
7.4.1. Listing OpenShift users¶
The Robin CLI includes commands to get a listing of users and user groups from an OpenShift cluster. The users returned from these queries can then be imported into the Robin cluster. When importing an OpenShift user, an account for the user will be created in the Robin cluster.
# robin openshift list-users [users]
|
Comma separated list of OpenShift users. If no users are provided then all OpenShift users will be displayed. |
Example:
# robin openshift list-users
Username | UID | Groups
---------+--------------------------------------+-------------
admin1 | ee29177c-b48b-42a9-b63c-e9cce6935219 | robin-users
admin2 | d613991f-1975-4225-8d67-2f23aac05215 | robin-users
robin | 881fdd9d-9270-4d1b-a853-ec767b3793cc | robin-users
user1 | 678a46ce-2c32-44ce-a88c-ca084d29c60c | robin-users
user2 | c9ba0e73-b90a-4285-86b6-479e3ddb91ed | robin-users
user3 | 883c0d99-0c4d-4f89-a7ac-79da198e9229 | robin-users
user4 | dee5d68c-ce27-4500-afdc-21d730fe7d23 | robin-users
user5 | e2660780-2a91-44a6-87c1-f9f30724c7de | robin-users
Note
This command is only supported when Robin is deployed on an OpenShift cluster.
There is no direct link between a user’s account in a Robin cluster and their account on an OpenShift cluster, other than as a means for authenticating the user during login to Robin.
7.4.2. Adding users with OpenShift authentication¶
When adding a user when Robin is deployed on an OpenShift cluster,
the user can be configured so that authentication checks go to
OpenShift for authentication. When using the Robin CLI to add the
user, include the --openshift
flag on the command line. A command
to add a Robin user with OpenShift authentication will look something
like this:
# robin user add user1 tenant1 user --openshift
Note
This operation is only supported when Robin is deployed on an OpenShift cluster.
7.4.3. Importing OpenShift users¶
Importing an OpenShift user is similar to adding a Robin user. The tenant the user will be added to and their role in that tenant must be specified. When importing an OpenShift user, a validation check will be performed, to ensure the user exists in the cluster.
# robin openshift import-users users tenant tenant_role [user_capabilities]
|
Comma separated list of OpenShift users to import |
|
Tenant that all imported users will be made a member of |
|
User role for the tenant assigned to each imported user |
|
Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no user_capabilities are specified, then full capabilities for the specified role will be assigned. If it’s desired that no capabilities be granted to the user then specify NoCapabilities. |
Example:
# robin openshift import-users admin1 t1 tenantadmin
Successfully added one user: admin1
# robin user list admin1
ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication
---+----------+-----------+-------+---------+----------------+--------------+-------------------+----------------
4 | admin1 | | | t1 | t1 | tenantadmin | t002-u000004 | openshift
Note
This command is only supported when Robin is deployed on an OpenShift cluster.
7.4.4. Listing OpenShift groups¶
Users from OpenShift groups can be imported into a Robin cluster. Use the following command to search for OpenShift groups and view group members:
# robin openshift list-groups [groups]
|
Comma separated list of OpenShift group names. If no group names are provided then all OpenShift groups will be displayed (note that a listing of all groups can take a long time to finish). |
Example:
# robin openshift list-groups
Name | UID | Users
------------+--------------------------------------+---------------------------------------------------
robin-users | abc53d88-ca7f-4634-b70f-7f51d538d9e4 | robin,user1,user2,user3,user4,user5,admin1,admin2
Note
This command is only supported when Robin is deployed on an OpenShift cluster.
7.4.5. Importing members of an OpenShift group¶
All members of an OpenShift group can be imported into a Robin cluster with a single operation. Note that all users will be added to the same tenant with the same tenant role and (optionally) custom user capabilities. Key user attributes, such as the user’s full name will be imported along with the user’s username. Issue the following command to import one or more members of an OpenShift group:
# robin openshift list-groups groups tenant tenant_role [user_capabilities]
--exclude-users EXCLUDE_USERS
|
Name of the OpenShift group to import users from |
|
Tenant that all imported users will be made a member of |
|
User role for the tenant assigned to each imported user |
|
Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no user_capabilities are specified, then full capabilities for the specified role will be assigned. If it’s desired that no capabilities be granted to the user then specify NoCapabilities. |
|
Comma separated list of users to exclude from importation |
Example:
# robin openshift import-group robin-users t2 user --exclude-users robin,admin1,admin2,user1,user2
Imported OpenShift users: 'user3, user4, user5'
# robin user list
ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication
---+----------+---------------+-------+----------------+----------------+--------------+-------------------+----------------
3 | admin | Robin Systems | | Administrators | Administrators | superadmin | t001-u000003 | local
4 | admin1 | | | t1 | t1 | tenantadmin | t002-u000004 | openshift
5 | user3 | | | t2 | t2 | user | t003-u000005 | openshift
6 | user4 | | | t2 | t2 | user | t003-u000006 | openshift
7 | user5 | | | t2 | t2 | user | t003-u000007 | openshift
Note
This command is only supported when Robin is deployed on an OpenShift cluster.
It may not be practical to use this command to add users from an
OpenShift group to a Robin cluster. If the users in the group
will be assigned to multiple tenants and have different roles. It
might make more sense to use the robin openshift add-users
command to add the users in bunches.
7.5. User capabilities operations¶
7.5.1. List user capabilities¶
List user capabilities that can be assigned to users based on their tenant role:
# robin capabilities list [names]
--group <capability_group>
--all
--full
|
Comma separated list of user capabilities to list |
|
User capability group |
|
Show all user capabilities (including hidden ones). Note that hidden capabilities will be returned if specified on the command line. |
|
Show additional information about each user capability |
Example 1 (List non-hidden user capabilities):
# robin capabilities list
Group | Name | Hidden | Description
---------------+-----------------------------+--------+------------------------------------------------------------
Application | ManageApplications | False | Manage Applications
Application | ShareApplications | False | Share Application Backups
Application | CreateApplications | False | Create Applications
Application | SnapshotApplications | False | Snapshot Applications
Application | UseNamespaces | False | Use Namespaces
Application | ManageNamespaces | False | Manage Namespaces
Application | ShareNamespaces | False | Share Namespaces with other tenant users
Application | CreateBackups | False | Create Application Backups
Application | DeleteBackups | False | Delete Application Backups
Application | ImportBackups | False | Import Application Backups
Application | ExportBackups | False | Export Application Backups
Application | PurgeBackups | False | Purge Application Backups from Storage Repo
Application | TenantShareBackups | False | Share Application Backups with tenants
Application | UserShareBackups | False | Share Application Backups with tenant users
Application | BackupApplications | False | Backup Applications
Application | CloneApplications | False | Clone Applications
Application | DeleteApplications | False | Delete Applications
Application | CreatePrivelegedApps | False | Create Privileged Applications
Infrastructure | ViewSystem | False | View system attributes
Infrastructure | ManageSystem | False | Manage system attributes
Infrastructure | ManageApplicationResources | False | Manage Application resources
Application | ManageK8sApplications | False | Manage k8s Applications
Application | ShareK8sApplications | False | Share Application Backups
Application | ManageK8sBackups | False | Manage K8s Application Backups
Application | CreateImages | False | Create Application Images
Application | CreateBundles | False | Create Application Bundles
Application | ManageInstances | False | Manage Application Instances
Application | ManageVolumes | False | Manage Storage Volumes
Application | ManageDocker | False | Manage Docker Registries
Infrastructure | ManageNetworking | False | Manage Networking
Infrastructure | ManageResourcePools | False | Manage Resource Pools
Infrastructure | ManageTags | False | Manage Tags
Infrastructure | ManageResourceGroups | False | Manage Resource groups
Infrastructure | ManageConfig | False | Manage Configuration Information
Infrastructure | AccessConsole | False | Access a physical node's console
Infrastructure | AccessDashboard | False | Access a cluster's dashboard
Infrastructure | ManageLogCollections | False | Manage Log Collection Information
Infrastructure | ManageFileCollections | False | Manage File Collection Information
Infrastructure | ManageNodes | False | Manage Physical Nodes
Infrastructure | ManageEvents | False | Manage System Events and Alerts
Infrastructure | ManageJobs | False | Manage Jobs
Infrastructure | ManageZones | False | Manage Zones
Infrastructure | ManageWorkflow | False | Manage Workflows
Infrastructure | CreateStorageRepos | False | Create Storage Repos
Infrastructure | UseStorageRepos | False | Use Storage Repos
Infrastructure | ManageStorageRepos | False | Manage Storage Repos
Application | TenantShareRepos | False | Share Storage Repos with tenants
Application | UserShareRepos | False | Share Storage Repos with tenant users
Infrastructure | ManageNFSExports | False | Manage NFS exports
Infrastructure | GenerateReports | False | Generate reports
Infrastructure | ShareObjectsWithTenants | False | Share various objects with tenants
Infrastructure | ChangeOwner | False | Change the owner for various objects
Infrastructure | ManageTenantResources | False | Manage Tenants, Tenant users and their properties
User | ManageUsers | False | Manage Users and their properties
User | UpdateUserRole | False | Update roles for users
User | UpdateTenants | False | Update Tenants, Tenant users and their properties
User | ManageTenants | False | Manage Tenants, Tenant users and their properties
User | ManageUserCapabilities | False | Manage User Capabilities and their properties
User | CreateUserCapabilities | False | Create, Update, and Delete User Capabilities
User | ManageTiller | False | Manage Tiller objects
User | ManageDirectoryServices | False | Manage LDAP/Active Directory services and their properties
User | ManageOpenShift | False | Manage OpenShift users/groups and their properties
User | ManageUserAudit | False | Manage user audit properties
Infrastructure | ManageK8s | False | Manage Kubernetes resources
Infrastructure | ManageK8sUsers | False | Manage Kubernetes resources
Administration | AllSuperAdminCapabilities | False | All Super Admin Capabilities
Administration | AllUserCapabilities | False | All User Capabilities
Administration | AllClusterUserCapabilities | False | All Cluster User Capabilities
Administration | AllClusterAdminCapabilities | False | All Cluster Admin Capabilities
Administration | AllTenantAdminCapabilities | False | All Tenant Admin Capabilities
Example 2 (List all user capabilities in a capability group):
# robin capabilities list --group User
Group | Name | Hidden | Description
------+-------------------------+--------+------------------------------------------------------------
User | ViewUsers | True | View Users and their properties
User | ManageUsers | False | Manage Users and their properties
User | ViewUserAuth | True | View user auth information
User | UpdateUserRole | False | Update roles for users
User | ViewTenants | True | View Tenants and their properties
User | UpdateTenants | False | Update Tenants, Tenant users and their properties
User | ManageTenants | False | Manage Tenants, Tenant users and their properties
User | ViewUserCapabilities | True | View User Capabilities and their properties
User | ManageUserCapabilities | False | Manage User Capabilities and their properties
User | CreateUserCapabilities | False | Create, Update, and Delete User Capabilities
User | ViewTiller | True | View Tiller objects
User | ManageTiller | False | Manage Tiller objects
User | ViewDirectoryServices | True | View LDAP/Active Directory services and their properties
User | ManageDirectoryServices | False | Manage LDAP/Active Directory services and their properties
User | ViewOpenShift | True | View OpenShift users/groups and their properties
User | ManageOpenShift | False | Manage OpenShift users/groups and their properties
User | ViewUserAudit | True | View user audit properties
User | ManageUserAudit | False | Manage user audit properties
User | ViewK8sUserAuth | True | View Kubernetes user context information
Example 3 (Show details for a single user capability):
# robin capabilities list --full ManageApplications
Group | Name | Hidden | Description
------------+--------------------+--------+---------------------
Application | ManageApplications | False | Manage Applications
Tenant Roles:
superadmin
tenantadmin
user
Providers:
ViewApplications
ViewBackups
ViewInstances
ManageInstances
ViewDocker
ViewTags
ViewResourcePools
ViewBundles
ViewImages
ViewConfig
ViewEvents
ViewNetworking
ViewNodes
ViewJobs
ViewZones
ViewStorageArray
ViewNFSExports
Capability Entries:
APPLICATION add_repo
APPLICATION addkey
APPLICATION addtrigger
APPLICATION addvol
APPLICATION computeqos
APPLICATION config
APPLICATION deltrigger
APPLICATION delvol
APPLICATION expandvol
APPLICATION hydrate
APPLICATION moveresources
APPLICATION probe
APPLICATION redeploy
APPLICATION register
APPLICATION remove_repo
APPLICATION restart
APPLICATION rollback
APPLICATION run_hook
APPLICATION scale
APPLICATION setreslimits
APPLICATION start
APPLICATION stop
APPLICATION storageqos
APPLICATION unregister
APPLICATION update
APPLICATION update_hpa
APPLICATION upgrade
SNAPSHOT update
Returns a list of user capabilities that can be assigned to users based on their tenant role:.
End Point: /api/v3/robin_server/user-capabilities
Method: GET
URL Parameters: None
Data Parameters:
all_capabilities: true
- Utilizing this parameter within the payload results in all user capabilities including hidden ones being returned.capability_group: <group_name>
- Utilizing this parameter within the payload by specifying a valid group name results in only capabilities within that group being returned.
Port: RCM Port (default value is 29442)
Headers:
Authorization: <auth_token>
: Authorization token to identify which user is sending the request. The token can be acquired from the login API.
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error)
Example Response:
Output
{
"items":[
{
"capability_group":"Application",
"id":3,
"description":"Manage Applications",
"providers":[
"ViewApplications",
"ViewBackups",
"ViewInstances",
"ManageInstances",
"ViewDocker",
"ViewTags",
"ViewResourcePools",
"ViewBundles",
"ViewImages",
"ViewConfig",
"ViewEvents",
"ViewNetworking",
"ViewNodes",
"ViewJobs",
"ViewZones",
"ViewStorageArray",
"ViewNFSExports"
],
"hidden":false,
"name":"ManageApplications",
"capability_entries":[
{
"operation":"add_repo",
"object_type":"APPLICATION"
},
{
"operation":"addkey",
"object_type":"APPLICATION"
},
{
"operation":"addtrigger",
"object_type":"APPLICATION"
},
{
"operation":"addvol",
"object_type":"APPLICATION"
},
{
"operation":"computeqos",
"object_type":"APPLICATION"
},
{
"operation":"config",
"object_type":"APPLICATION"
},
{
"operation":"deltrigger",
"object_type":"APPLICATION"
},
{
"operation":"delvol",
"object_type":"APPLICATION"
},
{
"operation":"expandvol",
"object_type":"APPLICATION"
},
{
"operation":"hydrate",
"object_type":"APPLICATION"
},
{
"operation":"moveresources",
"object_type":"APPLICATION"
},
{
"operation":"probe",
"object_type":"APPLICATION"
},
{
"operation":"redeploy",
"object_type":"APPLICATION"
},
{
"operation":"register",
"object_type":"APPLICATION"
},
{
"operation":"remove_repo",
"object_type":"APPLICATION"
},
{
"operation":"restart",
"object_type":"APPLICATION"
},
{
"operation":"rollback",
"object_type":"APPLICATION"
},
{
"operation":"run_hook",
"object_type":"APPLICATION"
},
{
"operation":"scale",
"object_type":"APPLICATION"
},
{
"operation":"setreslimits",
"object_type":"APPLICATION"
},
{
"operation":"start",
"object_type":"APPLICATION"
},
{
"operation":"stop",
"object_type":"APPLICATION"
},
{
"operation":"storageqos",
"object_type":"APPLICATION"
},
{
"operation":"unregister",
"object_type":"APPLICATION"
},
{
"operation":"update",
"object_type":"APPLICATION"
},
{
"operation":"update_hpa",
"object_type":"APPLICATION"
},
{
"operation":"upgrade",
"object_type":"APPLICATION"
},
{
"operation":"update",
"object_type":"SNAPSHOT"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":4,
"description":"Share Application Backups",
"providers":[
"ViewApplications",
"ViewK8sApplications"
],
"hidden":false,
"name":"ShareApplications",
"capability_entries":[
{
"operation":"share",
"object_type":"APPLICATION"
},
{
"operation":"unshare",
"object_type":"APPLICATION"
},
{
"operation":"share",
"object_type":"K8S_APPLICATION"
},
{
"operation":"unshare",
"object_type":"K8S_APPLICATION"
},
{
"operation":"share",
"object_type":"SNAPSHOT"
},
{
"operation":"unshare",
"object_type":"SNAPSHOT"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":5,
"description":"Create Applications",
"providers":[
"ManageApplications"
],
"hidden":false,
"name":"CreateApplications",
"capability_entries":[
{
"operation":"create",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":6,
"description":"Snapshot Applications",
"providers":[
"ViewApplications"
],
"hidden":false,
"name":"SnapshotApplications",
"capability_entries":[
{
"operation":"setsnapback",
"object_type":"APPLICATION"
},
{
"operation":"snapshot",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":8,
"description":"Use Namespaces",
"providers":[
],
"hidden":false,
"name":"UseNamespaces",
"capability_entries":[
{
"operation":"deploy_app",
"object_type":"NAMESPACE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":9,
"description":"Manage Namespaces",
"providers":[
"ViewNamespaces"
],
"hidden":false,
"name":"ManageNamespaces",
"capability_entries":[
{
"operation":"create",
"object_type":"NAMESPACE"
},
{
"operation":"delete",
"object_type":"NAMESPACE"
},
{
"operation":"update",
"object_type":"NAMESPACE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":10,
"description":"Share Namespaces with other tenant users",
"providers":[
"ViewNamespaces"
],
"hidden":false,
"name":"ShareNamespaces",
"capability_entries":[
{
"operation":"user_share",
"object_type":"NAMESPACE"
},
{
"operation":"user_unshare",
"object_type":"NAMESPACE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":12,
"description":"Create Application Backups",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"CreateBackups",
"capability_entries":[
{
"operation":"create",
"object_type":"BACKUP"
},
{
"operation":"update",
"object_type":"BACKUP"
},
{
"operation":"create",
"object_type":"K8S_BACKUP"
},
{
"operation":"update",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":13,
"description":"Delete Application Backups",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"DeleteBackups",
"capability_entries":[
{
"operation":"delete",
"object_type":"BACKUP"
},
{
"operation":"delete",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":14,
"description":"Import Application Backups",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"ImportBackups",
"capability_entries":[
{
"operation":"import",
"object_type":"BACKUP"
},
{
"operation":"import",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":15,
"description":"Export Application Backups",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"ExportBackups",
"capability_entries":[
{
"operation":"export",
"object_type":"BACKUP"
},
{
"operation":"export",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":16,
"description":"Purge Application Backups from Storage Repo",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"PurgeBackups",
"capability_entries":[
{
"operation":"purge",
"object_type":"BACKUP"
},
{
"operation":"purge",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":17,
"description":"Share Application Backups with tenants",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"TenantShareBackups",
"capability_entries":[
{
"operation":"tenant_share",
"object_type":"BACKUP"
},
{
"operation":"tenant_unshare",
"object_type":"BACKUP"
},
{
"operation":"tenant_share",
"object_type":"K8S_BACKUP"
},
{
"operation":"tenant_unshare",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Application",
"id":18,
"description":"Share Application Backups with tenant users",
"providers":[
"ViewBackups"
],
"hidden":false,
"name":"UserShareBackups",
"capability_entries":[
{
"operation":"user_share",
"object_type":"BACKUP"
},
{
"operation":"user_unshare",
"object_type":"BACKUP"
},
{
"operation":"user_share",
"object_type":"K8S_BACKUP"
},
{
"operation":"user_unshare",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":19,
"description":"Backup Applications",
"providers":[
"ViewApplications"
],
"hidden":false,
"name":"BackupApplications",
"capability_entries":[
{
"operation":"backup",
"object_type":"APPLICATION"
},
{
"operation":"delete_backup",
"object_type":"APPLICATION"
},
{
"operation":"restore",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":20,
"description":"Clone Applications",
"providers":[
"ManageApplications"
],
"hidden":false,
"name":"CloneApplications",
"capability_entries":[
{
"operation":"clone",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":21,
"description":"Delete Applications",
"providers":[
"ManageApplications"
],
"hidden":false,
"name":"DeleteApplications",
"capability_entries":[
{
"operation":"delete",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":22,
"description":"Create Privileged Applications",
"providers":[
],
"hidden":false,
"name":"CreatePrivelegedApps",
"capability_entries":[
{
"operation":"create",
"object_type":"PRIVILEGED_APP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Infrastructure",
"id":23,
"description":"View system attributes",
"providers":[
],
"hidden":false,
"name":"ViewSystem",
"capability_entries":[
{
"operation":"view",
"object_type":"METRICS"
},
{
"operation":"view",
"object_type":"SYSTEM"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Infrastructure",
"id":24,
"description":"Manage system attributes",
"providers":[
],
"hidden":false,
"name":"ManageSystem",
"capability_entries":[
{
"operation":"create",
"object_type":"SYSTEM"
},
{
"operation":"update",
"object_type":"SYSTEM"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":25,
"description":"Manage Application resources",
"providers":[
],
"hidden":false,
"name":"ManageApplicationResources",
"capability_entries":[
{
"operation":"snapshot_limits",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":27,
"description":"Manage k8s Applications",
"providers":[
"ViewK8sApplications"
],
"hidden":false,
"name":"ManageK8sApplications",
"capability_entries":[
{
"operation":"add_repo",
"object_type":"K8S_APPLICATION"
},
{
"operation":"backup",
"object_type":"K8S_APPLICATION"
},
{
"operation":"clone",
"object_type":"K8S_APPLICATION"
},
{
"operation":"config",
"object_type":"K8S_APPLICATION"
},
{
"operation":"create",
"object_type":"K8S_APPLICATION"
},
{
"operation":"delete",
"object_type":"K8S_APPLICATION"
},
{
"operation":"hydrate",
"object_type":"K8S_APPLICATION"
},
{
"operation":"probe",
"object_type":"K8S_APPLICATION"
},
{
"operation":"register",
"object_type":"K8S_APPLICATION"
},
{
"operation":"remove_repo",
"object_type":"K8S_APPLICATION"
},
{
"operation":"restart",
"object_type":"K8S_APPLICATION"
},
{
"operation":"restore",
"object_type":"K8S_APPLICATION"
},
{
"operation":"rollback",
"object_type":"K8S_APPLICATION"
},
{
"operation":"scale",
"object_type":"K8S_APPLICATION"
},
{
"operation":"setsnapback",
"object_type":"K8S_APPLICATION"
},
{
"operation":"snapshot",
"object_type":"K8S_APPLICATION"
},
{
"operation":"start",
"object_type":"K8S_APPLICATION"
},
{
"operation":"stop",
"object_type":"K8S_APPLICATION"
},
{
"operation":"unregister",
"object_type":"K8S_APPLICATION"
},
{
"operation":"update",
"object_type":"K8S_APPLICATION"
},
{
"operation":"view",
"object_type":"K8S_APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":28,
"description":"Share Application Backups",
"providers":[
"ViewApplications",
"ViewK8sApplications"
],
"hidden":false,
"name":"ShareK8sApplications",
"capability_entries":[
{
"operation":"share",
"object_type":"K8S_APPLICATION"
},
{
"operation":"unshare",
"object_type":"K8S_APPLICATION"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Application",
"id":30,
"description":"Manage K8s Application Backups",
"providers":[
"ViewK8sBackups"
],
"hidden":false,
"name":"ManageK8sBackups",
"capability_entries":[
{
"operation":"create",
"object_type":"K8S_BACKUP"
},
{
"operation":"delete",
"object_type":"K8S_BACKUP"
},
{
"operation":"share",
"object_type":"K8S_BACKUP"
},
{
"operation":"tenant_share",
"object_type":"K8S_BACKUP"
},
{
"operation":"tenant_unshare",
"object_type":"K8S_BACKUP"
},
{
"operation":"unshare",
"object_type":"K8S_BACKUP"
},
{
"operation":"update",
"object_type":"K8S_BACKUP"
},
{
"operation":"user_share",
"object_type":"K8S_BACKUP"
},
{
"operation":"user_unshare",
"object_type":"K8S_BACKUP"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Application",
"id":32,
"description":"Create Application Images",
"providers":[
"ViewImages"
],
"hidden":false,
"name":"CreateImages",
"capability_entries":[
{
"operation":"create",
"object_type":"IMAGE"
},
{
"operation":"delete",
"object_type":"IMAGE"
},
{
"operation":"rename",
"object_type":"IMAGE"
},
{
"operation":"update",
"object_type":"IMAGE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":34,
"description":"Create Application Bundles",
"providers":[
"ViewImages",
"ViewBundles"
],
"hidden":false,
"name":"CreateBundles",
"capability_entries":[
{
"operation":"create",
"object_type":"BUNDLE"
},
{
"operation":"delete",
"object_type":"BUNDLE"
},
{
"operation":"rename",
"object_type":"BUNDLE"
},
{
"operation":"update",
"object_type":"BUNDLE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":36,
"description":"Manage Application Instances",
"providers":[
"ViewInstances"
],
"hidden":false,
"name":"ManageInstances",
"capability_entries":[
{
"operation":"manage_instances",
"object_type":"APPLICATION"
},
{
"operation":"addvol",
"object_type":"INSTANCE"
},
{
"operation":"computeqos",
"object_type":"INSTANCE"
},
{
"operation":"delete",
"object_type":"INSTANCE"
},
{
"operation":"relocate",
"object_type":"INSTANCE"
},
{
"operation":"repair",
"object_type":"INSTANCE"
},
{
"operation":"restart",
"object_type":"INSTANCE"
},
{
"operation":"setstate",
"object_type":"INSTANCE"
},
{
"operation":"start",
"object_type":"INSTANCE"
},
{
"operation":"stop",
"object_type":"INSTANCE"
},
{
"operation":"update",
"object_type":"INSTANCE"
},
{
"operation":"upgrade",
"object_type":"INSTANCE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":38,
"description":"Manage Storage Volumes",
"providers":[
"ViewVolumes"
],
"hidden":false,
"name":"ManageVolumes",
"capability_entries":[
{
"operation":"create",
"object_type":"VOLUME"
},
{
"operation":"delete",
"object_type":"VOLUME"
},
{
"operation":"update",
"object_type":"VOLUME"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Application",
"id":40,
"description":"Manage Docker Registries",
"providers":[
"ViewDocker"
],
"hidden":false,
"name":"ManageDocker",
"capability_entries":[
{
"operation":"create",
"object_type":"DOCKER_REGISTRY"
},
{
"operation":"delete",
"object_type":"DOCKER_REGISTRY"
},
{
"operation":"update",
"object_type":"DOCKER_REGISTRY"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":42,
"description":"Manage Networking",
"providers":[
"ViewNetworking"
],
"hidden":false,
"name":"ManageNetworking",
"capability_entries":[
{
"operation":"create",
"object_type":"IPPOOL"
},
{
"operation":"delete",
"object_type":"IPPOOL"
},
{
"operation":"update",
"object_type":"IPPOOL"
},
{
"operation":"create",
"object_type":"VLAN"
},
{
"operation":"delete",
"object_type":"VLAN"
},
{
"operation":"update",
"object_type":"VLAN"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":44,
"description":"Manage Resource Pools",
"providers":[
"ViewResourcePools"
],
"hidden":false,
"name":"ManageResourcePools",
"capability_entries":[
{
"operation":"create",
"object_type":"RESOURCEPOOL"
},
{
"operation":"delete",
"object_type":"RESOURCEPOOL"
},
{
"operation":"update",
"object_type":"RESOURCEPOOL"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":46,
"description":"Manage Tags",
"providers":[
"ViewTags"
],
"hidden":false,
"name":"ManageTags",
"capability_entries":[
{
"operation":"create",
"object_type":"TAG"
},
{
"operation":"delete",
"object_type":"TAG"
},
{
"operation":"update",
"object_type":"TAG"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":48,
"description":"Manage Resource groups",
"providers":[
"ViewResourceGroups"
],
"hidden":false,
"name":"ManageResourceGroups",
"capability_entries":[
{
"operation":"create",
"object_type":"RESOURCE_GROUP"
},
{
"operation":"delete",
"object_type":"RESOURCE_GROUP"
},
{
"operation":"update",
"object_type":"RESOURCE_GROUP"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":51,
"description":"Manage Configuration Information",
"providers":[
"ViewConfig"
],
"hidden":false,
"name":"ManageConfig",
"capability_entries":[
{
"operation":"update",
"object_type":"CONFIG"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":52,
"description":"Access a physical node's console",
"providers":[
"ViewNodes"
],
"hidden":false,
"name":"AccessConsole",
"capability_entries":[
{
"operation":"view",
"object_type":"CONSOLE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":53,
"description":"Access a cluster's dashboard",
"providers":[
"ViewApplications",
"ViewBackups",
"ViewConfig",
"ViewNodes",
"ViewEvents"
],
"hidden":false,
"name":"AccessDashboard",
"capability_entries":[
{
"operation":"view",
"object_type":"DASHBOARD"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":55,
"description":"Manage Log Collection Information",
"providers":[
"ViewLogCollections",
"ViewJobs"
],
"hidden":false,
"name":"ManageLogCollections",
"capability_entries":[
{
"operation":"create",
"object_type":"LOG_COLLECT"
},
{
"operation":"delete",
"object_type":"LOG_COLLECT"
},
{
"operation":"update",
"object_type":"LOG_COLLECT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":57,
"description":"Manage File Collection Information",
"providers":[
"ViewFileCollections"
],
"hidden":false,
"name":"ManageFileCollections",
"capability_entries":[
{
"operation":"create",
"object_type":"FILE_COLLECTION"
},
{
"operation":"delete",
"object_type":"FILE_COLLECTION"
},
{
"operation":"update",
"object_type":"FILE_COLLECTION"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":59,
"description":"Manage Physical Nodes",
"providers":[
"ViewApplications",
"ViewNodes"
],
"hidden":false,
"name":"ManageNodes",
"capability_entries":[
{
"operation":"create",
"object_type":"NODE"
},
{
"operation":"delete",
"object_type":"NODE"
},
{
"operation":"pruneimage",
"object_type":"NODE"
},
{
"operation":"update",
"object_type":"NODE"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":61,
"description":"Manage System Events and Alerts",
"providers":[
"ViewEvents"
],
"hidden":false,
"name":"ManageEvents",
"capability_entries":[
{
"operation":"create",
"object_type":"EVENT"
},
{
"operation":"delete",
"object_type":"EVENT"
},
{
"operation":"update",
"object_type":"EVENT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":63,
"description":"Manage Jobs",
"providers":[
"ViewJobs"
],
"hidden":false,
"name":"ManageJobs",
"capability_entries":[
{
"operation":"delete",
"object_type":"JOB"
},
{
"operation":"update",
"object_type":"JOB"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":65,
"description":"Manage Zones",
"providers":[
"ViewZones"
],
"hidden":false,
"name":"ManageZones",
"capability_entries":[
{
"operation":"create",
"object_type":"ZONE"
},
{
"operation":"delete",
"object_type":"ZONE"
},
{
"operation":"update",
"object_type":"ZONE"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":67,
"description":"Manage Workflows",
"providers":[
"ViewWorkflow"
],
"hidden":false,
"name":"ManageWorkflow",
"capability_entries":[
{
"operation":"create",
"object_type":"WORKFLOW"
},
{
"operation":"delete",
"object_type":"WORKFLOW"
},
{
"operation":"update",
"object_type":"WORKFLOW"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":71,
"description":"Create Storage Repos",
"providers":[
"ViewStorageRepos"
],
"hidden":false,
"name":"CreateStorageRepos",
"capability_entries":[
{
"operation":"create",
"object_type":"REPO_CATALOG"
},
{
"operation":"delete",
"object_type":"REPO_CATALOG"
},
{
"operation":"create",
"object_type":"STORAGE_REPO"
},
{
"operation":"delete",
"object_type":"STORAGE_REPO"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Infrastructure",
"id":72,
"description":"Use Storage Repos",
"providers":[
"ViewStorageRepos"
],
"hidden":false,
"name":"UseStorageRepos",
"capability_entries":[
{
"operation":"push",
"object_type":"STORAGE_REPO"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Infrastructure",
"id":73,
"description":"Manage Storage Repos",
"providers":[
"ViewStorageRepos",
"UseStorageRepos"
],
"hidden":false,
"name":"ManageStorageRepos",
"capability_entries":[
{
"operation":"update",
"object_type":"REPO_CATALOG"
},
{
"operation":"purge",
"object_type":"STORAGE_REPO"
},
{
"operation":"reclaim",
"object_type":"STORAGE_REPO"
},
{
"operation":"scan",
"object_type":"STORAGE_REPO"
},
{
"operation":"update",
"object_type":"STORAGE_REPO"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin",
"user"
]
},
{
"capability_group":"Application",
"id":74,
"description":"Share Storage Repos with tenants",
"providers":[
"ViewStorageRepos",
"UseStorageRepos"
],
"hidden":false,
"name":"TenantShareRepos",
"capability_entries":[
{
"operation":"tenant_share",
"object_type":"STORAGE_REPO"
},
{
"operation":"tenant_unshare",
"object_type":"STORAGE_REPO"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Application",
"id":75,
"description":"Share Storage Repos with tenant users",
"providers":[
"ViewStorageRepos",
"UseStorageRepos"
],
"hidden":false,
"name":"UserShareRepos",
"capability_entries":[
{
"operation":"user_share",
"object_type":"STORAGE_REPO"
},
{
"operation":"user_unshare",
"object_type":"STORAGE_REPO"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":77,
"description":"Manage NFS exports",
"providers":[
"ViewNFSExports"
],
"hidden":false,
"name":"ManageNFSExports",
"capability_entries":[
{
"operation":"create",
"object_type":"NFS_EXPORTS"
},
{
"operation":"delete",
"object_type":"NFS_EXPORTS"
},
{
"operation":"update",
"object_type":"NFS_EXPORTS"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":78,
"description":"Generate reports",
"providers":[
],
"hidden":false,
"name":"GenerateReports",
"capability_entries":[
{
"operation":"view",
"object_type":"REPORT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":79,
"description":"Share various objects with tenants",
"providers":[
],
"hidden":false,
"name":"ShareObjectsWithTenants",
"capability_entries":[
{
"operation":"tenant_share",
"object_type":"BUNDLE"
},
{
"operation":"tenant_share",
"object_type":"DOCKER_REGISTRY"
},
{
"operation":"tenant_share",
"object_type":"IMAGE"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":80,
"description":"Change the owner for various objects",
"providers":[
],
"hidden":false,
"name":"ChangeOwner",
"capability_entries":[
{
"operation":"change_owner",
"object_type":"APPLICATION"
},
{
"operation":"change_owner",
"object_type":"BUNDLE"
},
{
"operation":"change_owner",
"object_type":"DOCKER_REGISTRY"
},
{
"operation":"change_owner",
"object_type":"IMAGE"
},
{
"operation":"change_owner",
"object_type":"INSTANCE"
},
{
"operation":"change_owner",
"object_type":"K8S_APPLICATION"
},
{
"operation":"change_owner",
"object_type":"NAMESPACE"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"Infrastructure",
"id":81,
"description":"Manage Tenants, Tenant users and their properties",
"providers":[
],
"hidden":false,
"name":"ManageTenantResources",
"capability_entries":[
{
"operation":"manage_resources",
"object_type":"TENANT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":83,
"description":"Manage Users and their properties",
"providers":[
"ViewUsers",
"ManageUserCapabilities"
],
"hidden":false,
"name":"ManageUsers",
"capability_entries":[
{
"operation":"create",
"object_type":"USER"
},
{
"operation":"delete",
"object_type":"USER"
},
{
"operation":"update",
"object_type":"USER"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":85,
"description":"Update roles for users",
"providers":[
],
"hidden":false,
"name":"UpdateUserRole",
"capability_entries":[
{
"operation":"update_role",
"object_type":"USER"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"User",
"id":87,
"description":"Update Tenants, Tenant users and their properties",
"providers":[
"ViewUsers",
"ViewTenants"
],
"hidden":false,
"name":"UpdateTenants",
"capability_entries":[
{
"operation":"update",
"object_type":"TENANT"
}
],
"tenant_roles":[
"tenantadmin"
]
},
{
"capability_group":"User",
"id":88,
"description":"Manage Tenants, Tenant users and their properties",
"providers":[
"ViewUsers",
"ViewTenants"
],
"hidden":false,
"name":"ManageTenants",
"capability_entries":[
{
"operation":"add_users",
"object_type":"TENANT"
},
{
"operation":"create",
"object_type":"TENANT"
},
{
"operation":"delete",
"object_type":"TENANT"
},
{
"operation":"update",
"object_type":"TENANT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":90,
"description":"Manage User Capabilities and their properties",
"providers":[
"ViewUserCapabilities"
],
"hidden":false,
"name":"ManageUserCapabilities",
"capability_entries":[
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"User",
"id":91,
"description":"Create, Update, and Delete User Capabilities",
"providers":[
"ManageUserCapabilities"
],
"hidden":false,
"name":"CreateUserCapabilities",
"capability_entries":[
{
"operation":"create",
"object_type":"USER_CAPABILITY"
},
{
"operation":"delete",
"object_type":"USER_CAPABILITY"
},
{
"operation":"update",
"object_type":"USER_CAPABILITY"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":93,
"description":"Manage Tiller objects",
"providers":[
"ViewTiller"
],
"hidden":false,
"name":"ManageTiller",
"capability_entries":[
{
"operation":"create",
"object_type":"K8S_TILLER"
},
{
"operation":"delete",
"object_type":"K8S_TILLER"
},
{
"operation":"update",
"object_type":"K8S_TILLER"
}
],
"tenant_roles":[
"superadmin",
"tenantadmin"
]
},
{
"capability_group":"User",
"id":95,
"description":"Manage LDAP\/Active Directory services and their properties",
"providers":[
"ViewDirectoryServices"
],
"hidden":false,
"name":"ManageDirectoryServices",
"capability_entries":[
{
"operation":"create",
"object_type":"LDAP"
},
{
"operation":"delete",
"object_type":"LDAP"
},
{
"operation":"update",
"object_type":"LDAP"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":97,
"description":"Manage OpenShift users\/groups and their properties",
"providers":[
"ViewOpenShift"
],
"hidden":false,
"name":"ManageOpenShift",
"capability_entries":[
{
"operation":"create",
"object_type":"OPEN_SHIFT"
},
{
"operation":"delete",
"object_type":"OPEN_SHIFT"
},
{
"operation":"update",
"object_type":"OPEN_SHIFT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"User",
"id":99,
"description":"Manage user audit properties",
"providers":[
"ViewUserAudit"
],
"hidden":false,
"name":"ManageUserAudit",
"capability_entries":[
{
"operation":"create",
"object_type":"USER_AUDIT"
},
{
"operation":"delete",
"object_type":"USER_AUDIT"
},
{
"operation":"update",
"object_type":"USER_AUDIT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":102,
"description":"Manage Kubernetes resources",
"providers":[
"ViewK8s"
],
"hidden":false,
"name":"ManageK8s",
"capability_entries":[
{
"operation":"create",
"object_type":"K8S_MASTER"
},
{
"operation":"delete",
"object_type":"K8S_MASTER"
},
{
"operation":"update",
"object_type":"K8S_MASTER"
},
{
"operation":"update",
"object_type":"K8S_NODE"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Infrastructure",
"id":103,
"description":"Manage Kubernetes resources",
"providers":[
],
"hidden":false,
"name":"ManageK8sUsers",
"capability_entries":[
{
"operation":"create",
"object_type":"K8S_USER_CONTEXT"
},
{
"operation":"delete",
"object_type":"K8S_USER_CONTEXT"
},
{
"operation":"update",
"object_type":"K8S_USER_CONTEXT"
},
{
"operation":"view",
"object_type":"K8S_USER_CONTEXT"
}
],
"tenant_roles":[
"superadmin"
]
},
{
"capability_group":"Administration",
"id":106,
"description":"All Super Admin Capabilities",
"providers":[
"AllCapabilities"
],
"hidden":false,
"name":"AllSuperAdminCapabilities",
"capability_entries":[
],
"tenant_roles":[
]
},
{
"capability_group":"Administration",
"id":107,
"description":"All User Capabilities",
"providers":[
"CloneApplications",
"CreateApplications",
"ViewNamespaces",
"UseNamespaces",
"ManageNamespaces",
"ViewBackups",
"CreateBackups",
"DeleteBackups",
"PurgeBackups",
"ViewUserAuth",
"CreateBundles",
"CreateImages",
"CreatePrivelegedApps",
"CreateStorageRepos",
"DeleteApplications",
"DownloadFiles",
"ManageInstances",
"ManageK8sApplications",
"ManageStorageRepos",
"SnapshotApplications",
"BackupApplications",
"ViewApplications",
"ViewBundles",
"ViewChargeback",
"ViewConfig",
"ViewDocker",
"ViewEvents",
"ViewFileCollections",
"ViewImages",
"ViewInstances",
"ViewJobs",
"ViewK8sApplications",
"ViewK8sUserAuth",
"ViewNetworking",
"ViewNFSExports",
"ViewNodes",
"ViewResourceGroups",
"ViewResourcePools",
"ViewStorageArray",
"ViewStorageRepos",
"UseStorageRepos",
"ViewSystem",
"ViewTags",
"ViewTiller",
"ViewZones",
"ViewWorkflow"
],
"hidden":false,
"name":"AllUserCapabilities",
"capability_entries":[
],
"tenant_roles":[
]
},
{
"capability_group":"Administration",
"id":108,
"description":"All Cluster User Capabilities",
"providers":[
"ManageK8sApplications",
"ManageK8sBackups",
"ViewJobs",
"CreateStorageRepos",
"ManageStorageRepos",
"ViewTiller",
"ViewK8sUserAuth"
],
"hidden":false,
"name":"AllClusterUserCapabilities",
"capability_entries":[
],
"tenant_roles":[
]
},
{
"capability_group":"Administration",
"id":109,
"description":"All Cluster Admin Capabilities",
"providers":[
"AllCapabilities"
],
"hidden":false,
"name":"AllClusterAdminCapabilities",
"capability_entries":[
],
"tenant_roles":[
]
},
{
"capability_group":"Administration",
"id":110,
"description":"All Tenant Admin Capabilities",
"providers":[
"ViewObjectShares",
"AccessConsole",
"AccessDashboard",
"ChangeOwner",
"CloneApplications",
"CreateApplications",
"ViewNamespaces",
"UseNamespaces",
"ManageNamespaces",
"ShareNamespaces",
"ViewBackups",
"CreateBackups",
"DeleteBackups",
"ImportBackups",
"ExportBackups",
"PurgeBackups",
"UserShareBackups",
"CreateBundles",
"CreateImages",
"CreatePrivelegedApps",
"CreateStorageRepos",
"DeleteApplications",
"DownloadFiles",
"ManageApplications",
"ShareApplications",
"ManageApplicationResources",
"ManageDocker",
"ManageInstances",
"ManageK8s",
"ManageK8sApplications",
"ShareK8sApplications",
"ManageResourceGroups",
"ManageStorageRepos",
"UserShareRepos",
"ManageTiller",
"ManageUserCapabilities",
"SnapshotApplications",
"BackupApplications",
"UpdateTenants",
"UpdateUserRole",
"UseStorageRepos",
"ViewApplications",
"ViewBundles",
"ViewChargeback",
"ViewConfig",
"ViewDocker",
"ViewEvents",
"ViewFileCollections",
"ViewImages",
"ViewInstances",
"ViewJobs",
"ViewK8sApplications",
"ViewK8sUserAuth",
"ViewNetworking",
"ViewNFSExports",
"ViewNodes",
"ViewResourceGroups",
"ViewResourcePools",
"ViewStorageArray",
"ViewStorageRepos",
"ViewSystem",
"ViewTags",
"ViewTenants",
"ViewTiller",
"ViewUsers",
"ViewUserAuth",
"ViewUserCapabilities",
"ViewZones",
"ViewWorkflow",
"ManageWorkflow"
],
"hidden":false,
"name":"AllTenantAdminCapabilities",
"capability_entries":[
],
"tenant_roles":[
]
},
{
"capability_group":"Custom",
"id":115,
"description":"Custom user capability",
"providers":[
"ManageApplications"
],
"hidden":false,
"name":"CustomUserCapability",
"capability_entries":[
{
"operation":"backup",
"object_type":"APPLICATION"
},
{
"operation":"restore",
"object_type":"APPLICATION"
}
],
"tenant_roles":[
"user",
"tenantadmin",
"superadmin"
]
}
]
}
7.5.2. Add a custom user capability¶
Issue the following command to add a custom user capability:
# robin capabilities add <name> <description> <tenant_roles>
--providers <providers>
--capability-entries <capability_entries>
--hidden
|
Name of custom user capability |
|
Description of User Capability |
|
Comma separated list of Tenant Roles. One or more of ‘superadmin’, ‘tenantadmin’, ‘user’ is required. |
|
Optional comma separated list of provider user capabilities. |
|
Optional comma separated list of capability entries in the following format: ‘<object_type>:<operation>’. |
|
Hide a user capability when listing (defaul is not hidden). |
Example:
# robin capabilities add CustomUserCapability "Custom user capability" user --providers ManageApplications
Custom User Capability 'CustomUserCapability' successfully added
# robin capabilities list CustomUserCapability --full
Group | Name | Hidden | Description
-------+----------------------+--------+------------------------
Custom | CustomUserCapability | False | Custom user capability
Tenant Roles:
user
Providers:
ManageApplications
Capability Entries:
7.5.3. Remove a custom user capability¶
Issue the following command to remove a custom user capability:
# robin capabilities remove <name>
|
Name of custom user capability to remove |
Example:
# robin capabilities remove CustomUserCapability
Deleted User Capability 'CustomUserCapability'
7.5.4. Update a custom user capability¶
Issue the following command to update a custom user capability:
# robin capabilities update <name>
--description <description>
--tenant-roles <tenant_roles>
--providers <providers>
--capability-entries <capability_entries>
--hide
--expose
|
Name of custom user capability to remove |
|
Description of User Capability |
|
A comma separated list of Tenant Roles. One or more of ‘superadmin’, ‘tenantadmin’, ‘user’ is required. |
|
Optional comma separated list of provider user capabilities. |
|
Optional comma separated list of capability entries in the following format: ‘<object_type>:<operation>’. |
|
Hide user capability when listing. |
|
Include user capability when listing. |
Example:
# robin capabilities update CustomUserCapability --capability-entries APPLICATION:backup,APPLICATION:restore --tenant-roles user,tenantadmin,superadmin
User Capability 'CustomUserCapability' has been updated
# robin capabilities list CustomUserCapability --full
Group | Name | Hidden | Description
-------+----------------------+--------+------------------------
Custom | CustomUserCapability | False | Custom user capability
Tenant Roles:
user
tenantadmin
superadmin
Providers:
ManageApplications
Capability Entries:
APPLICATION backup
APPLICATION restore
Note
When updating a custom user capability, the values provided for
providers and capability entries will replace the the current
values. To add or remove one or more providers or capability
entries, use the add-capability-entries
,
remove-capability-entries
, add-providers
, or
remove-providers
sub-commands.
7.5.5. Add capability entries to a custom user capability¶
Issue the following command to add one or more capability entries (permissions) to a custom user capability:
# robin capabilities add-capability-entries <name> <capability_entries>
|
Name of custom user capability to remove |
|
Comma separated list of capability entries in the following format: ‘<object_type>:<operation>’. |
Example:
# robin capabilities add-capability-entries CustomUserCapability BUNDLE:view,BUNDLE:create,BUNDLE:delete
One or more Capability Entries for User Capability 'CustomUserCapability' have been added
7.5.6. Remove capability entries from a custom user capability¶
Issue the following command to remove one or more capability entries (permissions) from a custom user capability:
# robin capabilities remove-capability-entries <name> <capability_entries>
|
Name of custom user capability to remove |
|
Comma separated list of capability entries in the following format: ‘<object_type>:<operation>’. |
Example:
# robin capabilities remove-capability-entries CustomUserCapability BUNDLE:view,BUNDLE:create,BUNDLE:delete
One or more Capability Entries for User Capability 'CustomUserCapability' have been removed
7.5.7. Add providers to a custom user capability¶
Issue the following command to add one or providers to a custom user capability:
# robin capabilities add-providers <name> <providers>
|
Name of custom user capability to remove |
|
Comma separated list of user capability providers to add |
Example:
# robin capabilities add-providers CustomUserCapability CreateImages,CreateBundles
One or more Providers for User Capability 'CustomUserCapability' have been added
# robin capabilities list --full CustomUserCapability
Group | Name | Hidden | Description
-------+----------------------+--------+------------------------
Custom | CustomUserCapability | False | Custom user capability
Tenant Roles:
user
tenantadmin
superadmin
Providers:
ManageApplications
CreateImages
CreateBundles
Capability Entries:
APPLICATION backup
APPLICATION restore
7.5.8. Remove providers from a custom user capability¶
Issue the following command to remove one or providers from a custom user capability:
# robin capabilities remove-providers <name> <providers>
|
Name of custom user capability to remove |
|
Comma separated list of user capability providers to add |
Example:
# robin capabilities remove-providers CustomUserCapability CreateImages,CreateBundles
One or more Providers for User Capability 'CustomUserCapability' have been removed
7.6. Object sharing operations¶
7.7. User management operations¶
7.7.1. Add a user¶
To add a new user to the Robin cluster, issue the following command:
# robin user add <username> <tenant> <tenant_role> [<user_capabilities>]
--password <password>
--ldap
--ldap-server <ldap_server>
--ldap-user-dn <ldap_user_dn>
--first-name <first_name>
--last-name <last_name>
--email <email_address>
--namespace <namespace>
--import-namespace
|
The user’s Robin cluster username. Note that this username can only contain .-_ and alphanumeric characters |
|
Name of the tenant to add the user to |
|
Role to assign to the user (superadmin, tenantadmin, user) |
|
Optional comma-separated list of tenant specific capabilities to assign to the user. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If no capabilities need to be granted to the user, then specify ‘NoCapabilities’ on the command line |
|
User password (for testing only) |
|
Authentication with an LDAP server |
|
Name of LDAP server user will get authentication from |
|
The LDAP DN to use when authenticating the user (if the user is in a non-standard location in the tree or does not conform to normal user DN conventions) |
|
First name for user being added |
|
Last name for user being added |
|
Email address for user being added |
|
The primary namespace to assign to a user when adding them to a tenant. If no namespace is supplied for the user, then one will be created and assigned to them. If the namespace does not already exist, it will be created. If the namespace is already bound to the tenant, then its ownership will be transferred to the newly added user (along with any applications that have been deployed in this namespace) |
|
Import the specified Kubernetes namespace if it exists |
Example 1 (Add a user to a tenant):
# robin user add user2 t1 user
Password: <user_password>
Retype password: <user_password>
Successfully added user 'user2'
Example 2 (Add a user and assign them a custom primary namespace name):
# robin user add user5 t3 user --namespace user5-ns
Password:
Retype password:
Successfully added user 'user5'
# robin user list user5
ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication
---+----------+-----------+-------+---------+----------------+--------------+-------------------+----------------
10 | user5 | | | t3 | t3 | user | user5-ns | local
Note
The ability to add users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the superadmin role) have permission to do this.
7.7.2. Update a user¶
To update a Robin user’s attributes, issue the following command:
# robin user update <username>
--password, -p
--first-name <first_name>
--last-name <last_name>
--email <email_address>
|
The username for the Robin user to update attributes for |
|
Change a user’s password |
|
First name for user being added |
|
Last name for user being added |
|
Email address for user being added |
Example:
# robin user update u1 --first-name demo-user
Successfully updated user u1
Note
The ability to update users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the superadmin role) have permission to do so.
Updates a Robin user’s attributes.
End Point: /api/v3/robin_server/users/<username>
Method: PUT
URL Parameters: None
Data Parameters:
action: update
- This mandatory field within the payload specifies that the update operation is to be performed.user_info: <dict_of_key_value_pairs>
–password: <password>
- Utilizing this parameter within the dictionary by specifying a new password results in the user’s password being changed to the given value.first_name: <first_name>
- Utilizing this parameter within the dictionary by specifying a first name results in the user’s first name being changed to the given value.last_name: <last_name>
- Utilizing this parameter within the dictionary by specifying a last name results in the user’s last name being changed to the given value.email: <email>
- Utilizing this parameter within the dictionary by specifying an email results in the user’s email being changed to the given value.
Port: RCM Port (default value is 29442)
Headers:
Authorization: <auth_token>
: Authorization token to identify which user is sending the request. The token can be acquired from the login API.
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error)
Example Response:
Output
{
"message":"Successfully updated user robin\n"
}
7.7.3. Remove a user¶
To remove a Robin user, issue the following command:
# robin user remove <username> [<replacement_users>]
--keep-k8s-namespaces
--yes, -y
|
Comma separated list of usernames for users being removed (can be a single username as well) |
|
Comma separated list of replacement users. Each replacement user consists of two elements, ‘tenant’ and ‘replacement_user’, in the following format <tenant>:<replacement_user>. Ownership of all namespaces and apps owned by a user being removed from a tenant will be assigned to the replacement user for that tenant (if supplied) |
|
Don’t delete a user’s Kubernetes namespaces when removing them |
|
Do not prompt for confirmation |
Example 1 (Remove a user):
# robin user remove user2
Are you sure you want to delete [y/n] ? y
Deleted user user2.
Example 2 (Remove a user and reassign ownership of their primary namespace to another user):
# robin user list user5
ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication
---+----------+-----------+-------+---------+----------------+--------------+-------------------+----------------
10 | user5 | | | t3 | t3 | user | user5-ns | local
# robin user remove user5 t3:admin3 -y
Deleted user user5.
# robin namespace list --tenant t3
+--------------+--------------+-------------------+
| Name | Owner/Tenant | Primary Namespace |
+--------------+--------------+-------------------+
| t004-u000011 | admin3/t3 | True |
| user5-ns | admin3/t3 | False |
+--------------+--------------+-------------------+
Example 3: Remove a user and leave their Kubernetes namespaces in place
# robin namespace list --username user6
+-------------+--------------+-------------------+
| Name | Owner/Tenant | Primary Namespace |
+-------------+--------------+-------------------+
| user6-t3-ns | user6/t3 | True |
+-------------+--------------+-------------------+
# robin user remove user6 --keep-k8s-namespaces -y
Deleted user user6.
# kubectl get namespace user6-t3-ns
NAME STATUS AGE
user6-t2-ns Active 89m
Note
The ability to remove users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the superadmin role) have permission to do so.
The last local user assigned the superadmin role cannot be removed from the system.
Removes a Robin user.
End Point: /api/v3/robin_server/users
Method: DELETE
URL Parameters: None
Data Parameters:
username: <username>
- This mandatory field within the payload specifies the name of ther user to be deleted.delete_namespaces: false
- Utilizing this paremeter within the payload results in the user’s Kubernetes namespace not being deleted even when they are removed. The default value is True.replacement_users: <list_of_dicts>
–tenant: <tenant_name>
- This mandatory field within the dictionary specifies the tenant in which to replace the user being removed. Note they have to be part of this tenant already.replacement_user: <replacement_username>
- This mandatory field within the dictionary specifies the username of the user to replace the one being removed within the aforementioned tenant.
Note
The replacement_users
field is not mandatory.
Port: RCM Port (default value is 29442)
Headers:
Authorization: <auth_token>
: Authorization token to identify which user is sending the request. The token can be acquired from the login API.
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 404 (Not Found Error), 401 (Unauthorized Error), 400 (Invalid API Usage Error)
Example Response:
Output
{
"message":"Deleted user user2.\n\n"
}
7.7.4. List users¶
To list information about Robin users, issue the following command:
# robin user list [<username>]
--all, -a
--full
--permissions
|
The username of the Robin user to display information for |
|
List all users including hidden, disabled, and deleted users |
|
Display additional information about each user (e.g., access permissions) |
|
List individual user permissions |
Example:
# robin user list
ID | Username | Full Name | Email | Tenants | Current Tenant | Current Role | Current Namespace | Authentication
---+----------+---------------+-------+----------------+----------------+--------------+-------------------+----------------
3 | robin | Robin Systems | | Administrators | Administrators | superadmin | t001-u000003 | local
4 | admin1 | | | t1 | t1 | tenantadmin | t003-u000004 | local
5 | user1 | | | t1 | t1 | user | t003-u000005 | local
6 | user2 | | | t1 | t1 | user | t003-u000006 | local
Note
The ability to list users is subject to Role Based Access Control (RBAC). By default, only Cluster Administrators (users having the superadmin role) have permission to do so.
Returns information about all Robin users including details such as the tenants they are associated with, current namespace and current role.
End Point: /api/v5/robin_server/users
Method: GET
URL Parameters:
disabled=true
: Utilizing this parameter results in disabled users also being returned alongside normal users.hidden=true
: Utilizing this parameter results in hidden users also being returned alongside normal users.deleted=true
: Utilizing this parameter results in deleted users also being returned alongside normal users.
Data Parameters: None
Port: RCM Port (default value is 29442)
Headers:
Authorization: <auth_token>
: Authorization token to identify which user is sending the request. The token can be acquired from the login API.
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 401 (Unauthorized Error)
Example Response:
Output
{
"items":[
{
"first_name":"Robin",
"user_context":"robin",
"tenant":"Administrators",
"username":"robin",
"user_context_id":3,
"tenant_id":1,
"permissions":{
},
"ldap_server_ref":null,
"tenants":[
{
"user_capabilities":[
"AllSuperAdminCapabilities"
],
"tenant_role":"superadmin",
"name":"Administrators"
}
],
"authentication":"local",
"hidden":false,
"user_id":3,
"email":null,
"last_name":"Systems",
"user_contexts":[
{
"user_credential_ref":3,
"tenant_ref":1,
"tenant":"Administrators",
"user_credential":"",
"name":"robin",
"user_ref":3,
"username":"robin",
"namespace":"t001-u000003",
"id":3,
"context_type":"ROBIN_CONTEXT"
}
],
"current_role":"superadmin",
"deleted":false
},
{
"first_name":null,
"user_context":"user3",
"tenant":"t3",
"username":"user3",
"user_context_id":5,
"tenant_id":3,
"permissions":{
},
"ldap_server_ref":null,
"tenants":[
{
"user_capabilities":[
"ViewApplications",
"CreateApplications",
"SnapshotApplications",
"BackupApplications",
"CloneApplications",
"DeleteApplications",
"ViewSystem",
"ViewK8sApplications",
"ManageK8sApplications",
"ViewImages",
"CreateImages",
"ViewBundles",
"CreateBundles",
"ViewInstances",
"ManageInstances",
"ViewDocker",
"ViewNetworking",
"ViewResourcePools",
"ViewTags",
"ViewResourceGroups",
"ViewChargeback",
"ViewConfig",
"ViewFileCollections",
"ViewNodes",
"ViewEvents",
"ViewJobs",
"ViewZones",
"ViewWorkflow",
"ViewStorageArray",
"ViewStorageRepos",
"UseStorageRepos",
"ViewNFSExports",
"ViewTiller",
"DownloadFiles",
"ViewK8sUserAuth",
"ViewNamespaces",
"UseNamespaces",
"ManageNamespaces",
"ViewUserAuth",
"CreateBackups",
"DeleteBackups",
"PurgeBackups",
"ManageApplications",
"ViewBackups"
],
"tenant_role":"user",
"name":"t3"
}
],
"authentication":"local",
"hidden":false,
"user_id":4,
"email":null,
"last_name":null,
"user_contexts":[
{
"user_credential_ref":5,
"tenant_ref":3,
"tenant":"t3",
"user_credential":"robin",
"name":"user3",
"user_ref":4,
"username":"user3",
"namespace":"t003-u000004",
"id":5,
"context_type":"ROBIN_CONTEXT"
}
],
"current_role":"user",
"deleted":false
},
{
"first_name":null,
"user_context":"user5",
"tenant":"t4",
"username":"user5",
"user_context_id":6,
"tenant_id":6,
"permissions":{
},
"ldap_server_ref":null,
"tenants":[
{
"user_capabilities":[
"ViewApplications",
"CreateApplications",
"SnapshotApplications",
"BackupApplications",
"CloneApplications",
"DeleteApplications",
"ViewSystem",
"ViewK8sApplications",
"ManageK8sApplications",
"ViewImages",
"CreateImages",
"ViewBundles",
"CreateBundles",
"ViewInstances",
"ManageInstances",
"ViewDocker",
"ViewNetworking",
"ViewResourcePools",
"ViewTags",
"ViewResourceGroups",
"ViewChargeback",
"ViewConfig",
"ViewFileCollections",
"ViewNodes",
"ViewEvents",
"ViewJobs",
"ViewZones",
"ViewWorkflow",
"ViewStorageArray",
"ViewStorageRepos",
"UseStorageRepos",
"ViewNFSExports",
"ViewTiller",
"DownloadFiles",
"ViewK8sUserAuth",
"ViewNamespaces",
"UseNamespaces",
"ManageNamespaces",
"ViewUserAuth",
"CreateBackups",
"DeleteBackups",
"PurgeBackups",
"ManageApplications",
"ViewBackups"
],
"tenant_role":"user",
"name":"t4"
}
],
"authentication":"local",
"hidden":false,
"user_id":5,
"email":null,
"last_name":null,
"user_contexts":[
{
"user_credential_ref":6,
"tenant_ref":6,
"tenant":"t4",
"user_credential":"user5",
"name":"user5",
"user_ref":5,
"username":"user5",
"namespace":"t006-u000005",
"id":6,
"context_type":"ROBIN_CONTEXT"
}
],
"current_role":"user",
"deleted":false
},
{
"first_name":null,
"user_context":"user6",
"tenant":"t5",
"username":"user6",
"user_context_id":7,
"tenant_id":7,
"permissions":{
},
"ldap_server_ref":null,
"tenants":[
{
"user_capabilities":[
"ViewApplications",
"CreateApplications",
"SnapshotApplications",
"BackupApplications",
"CloneApplications",
"DeleteApplications",
"ViewSystem",
"ViewK8sApplications",
"ManageK8sApplications",
"ViewImages",
"CreateImages",
"ViewBundles",
"CreateBundles",
"ViewInstances",
"ManageInstances",
"ViewDocker",
"ViewNetworking",
"ViewResourcePools",
"ViewTags",
"ViewResourceGroups",
"ViewChargeback",
"ViewConfig",
"ViewFileCollections",
"ViewNodes",
"ViewEvents",
"ViewJobs",
"ViewZones",
"ViewWorkflow",
"ViewStorageArray",
"ViewStorageRepos",
"UseStorageRepos",
"ViewNFSExports",
"ViewTiller",
"DownloadFiles",
"ViewK8sUserAuth",
"ViewNamespaces",
"UseNamespaces",
"ManageNamespaces",
"ViewUserAuth",
"CreateBackups",
"DeleteBackups",
"PurgeBackups",
"ManageApplications",
"ViewBackups"
],
"tenant_role":"user",
"name":"t5"
}
],
"authentication":"local",
"hidden":false,
"user_id":6,
"email":null,
"last_name":null,
"user_contexts":[
{
"user_credential_ref":7,
"tenant_ref":7,
"tenant":"t5",
"user_credential":"user6",
"name":"user6",
"user_ref":6,
"username":"user6",
"namespace":"t007-u000006",
"id":7,
"context_type":"ROBIN_CONTEXT"
}
],
"current_role":"user",
"deleted":false
}
]
}
7.7.5. User login¶
Run the following command to initiate a Robin cluster login session:
# robin login <username>
--password <password>
--tenant <tenant>
--namespace <namespace>
|
The username for the user logging into the Robin cluster |
|
User password (for testing only) |
|
Name of tenant the user will be logged into (default is the same tenant from previous login) |
|
Change the current namespace for the user who is logging in. Note that only the user’s assigned namespace for the tenant they are logging into will be accepted at this time |
Example:
# robin login robin --tenant Administrators
Password:
User robin is logged into Administrators tenant
Logs a user into a tenant.
End Point: /api/v3/robin_server/login
Method: POST
URL Parameters: None
Data Parameters:
username: <username>
- This mandatory field within the payload specifies the username of the user to login as.password: <password>
- This mandatory field within the payload specifies the password of the user to login as.tenant: <tenant>
- Utilizing this parameter by specifying a tenant name results in the user being logged into the aforementioned tenant. If not specified the tenant from the previous login will be used.namespace: <namespace>
- Utilizing this parameter by specifying a namespace results in the user’s current namespace changing to the aforementioned namespace. Note that only the user’s assigned namespace for the tenant they are logging into will be accepted at this time.
Port: RCM Port (default value is 29442)
Headers: None
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 401 (Unauthorized Error)
Example Response:
Output
{
"token_timestamp":1599752493,
"tenant":"Administrators",
"staas":false,
"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1OTk3NTI0OTMsInVzZXJfaWQiOjMsInRlbmFudF9pZCI6MX0.vqxRGk-2ZHsXJH6Na9TSITP8qx2LklDWVcCBIyb5igY",
"zoneid":1595331866,
"role":"superadmin",
"tenants":[
"Administrators"
],
"namespace":"t001-u000003"
}
7.7.6. Change current user’s password¶
To change the password for the current Robin user, issue the following command:
# robin password change
Example:
# robin password change
Password: <new_password>
Retype password: <new_password>
Password for current user has been updated
Changes the password for the current Robin user.
End Point: /api/v3/robin_server/login
Method: PUT
URL Parameters: None
Data Parameters:
action: change_password
- This mandatory field within the payload specifies that the change password operation is to be performed.password: <password>
- This mandatory field within the payload specifies the new password for the current user.
Port: RCM Port (default value is 29442)
Headers: None
Success Response Code: 200
Error Response Code: 500 (Internal Server Error), 401 (Unauthorized Error), 400 (Invalid Api Usage Error)
Example Response:
Output
{
"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTk3NTk1MTAsInVzZXJfaWQiOjMsInRlbmFudF9pZCI6MX0.t9jTYJgTnGYdedmL67ql9ETl-rcjmUFvK64bPE_Z5_g"
}
7.8. LDAP management operations¶
7.8.1. Add an LDAP server¶
Run the following command to add an LDAP server:
# robin ldap add-server <name> <hostname> <port> <server_type> <username> <search_base>
--user-base <user_base>
--group-base <group_base>
--netbios <netbios>
--password <password>
|
Name to assign to the LDAP server |
|
Hostname of the LDAP server |
|
Port number of the LDAP server |
|
Type of LDAP server. Valid choices are ‘OPEN_LDAP’ and ‘ACTIVE_DIRECTORY’ |
|
Username of the user with LDAP server access rights (read permissions minimum) |
|
LDAP search base. For example, |
|
Base DN to use when searching for users and when constructing a user’s dn |
|
Base DN to use when searching for groups and when constructing a group’s dn |
|
NetBIOS name to use when authenticating users (required when server type is ACTIVE_DIRECTORY) |
|
Password for supplied username (for testing only) |
Example 1 (Add an Active Directory LDAP server):
# robin ldap add-server ad1 10.9.53.5 389 ACTIVE_DIRECTORY administrator mydomain.com --netbios mydomain
Password:
Retype password:
Successfully added ldap server 'ad1'
Example 2 (Add an Open LDAP server):
# robin ldap add-server ldap1 ldap.forumsys.com 389 OPEN_LDAP cn=read-only-admin,dc=example,dc=com dc=example,dc=com
Password:
Retype password:
Successfully added ldap server 'ldap1'
7.8.2. Remove an LDAP server¶
Run the following command to remove an LDAP server:
# robin ldap remove-server <name>
|
Name of LDAP server to remove |
Example:
# robin ldap remove-server ldap1
Are you sure you want to delete [y/n] ? y
Successfully removed ldap server 'ldap1'
7.8.3. List LDAP servers¶
Run the following command to list LDAP servers:
# robin ldap list-servers <name>
|
Name to use when referencing the LDAP server. If no name is provided then all LDAP servers will be displayed |
Example:
# robin ldap list-servers
Name | Server Type | Hostname | Port | Username | Search Base | User Base | Group Base | NetBIOS
------+------------------+-------------------+------+--------------------------------------+------------------------+-----------+------------+--------------
ad1 | ACTIVE_DIRECTORY | 10.9.53.5 | 389 | administrator | dc=robinsystems,dc=com | | | ROBINSYSTEMS
ldap1 | OPEN_LDAP | ldap.forumsys.com | 389 | cn=read-only-admin,dc=example,dc=com | dc=example,dc=com | | |
7.8.4. List LDAP groups¶
Run the following command to list LDAP groups:
# robin ldap list-groups <ldap_server_name> [<groups>]
--search-base <search_base>
--ldap-filter <ldap_filter>
--raw
--json
|
Name of LDAP server to query for group info. |
|
Comma separated list of LDAP group names. If no group names are provided then all LDAP groups will be displayed. Note: listing of all groups can take a long time to complete |
|
Base DN for the LDAP group search |
|
LDAP filter that gets added to the base level group query filter. This option is not valid when group names are supplied on the command line |
|
Return records in raw LDAP format |
|
Output in JSON |
Example:
# robin ldap list-groups ldap1
Name | Members
---------------+-----------------------------------------------
Mathematicians | euclid,riemann,euler,gauss,test
Scientists | einstein,galileo,tesla,newton,training,jmacy
Italians | volta
Chemists | curie,boyle,nobel,pasteur
7.8.5. List LDAP users¶
Run the following command to list LDAP users:
# robin ldap list-users <ldap_server_name> [<users>]
--search-base <search_base>
--ldap-filter <ldap_filter>
--raw
--json
|
Name of LDAP server to query for user info. |
|
Comma-separated list of LDAP user names. If no user names are provided then all LDAP users will be displayed. Note: listing all users can take a long time to complete |
|
Base DN for the LDAP group search |
|
LDAP filter that gets added to the base level user query filter. Note: this option is not valid when user names are supplied on the command line |
|
Return records in raw LDAP format. |
|
Output in JSON |
Example:
# robin ldap list-users ldap1
Username | Email Address | User Principal Name | Object SID
---------+---------------+---------------------+--------------------------------------
newton | None | None | 050ce4de-2f64-1033-8989-a53eb149a944
einstein | None | None | 29f6dc28-2f64-1033-898b-a53eb149a944
tesla | None | None | 751b0a76-2f64-1033-898d-a53eb149a944
galileo | None | None | b9c53cb4-2f64-1033-898f-a53eb149a944
euler | None | None | 2bd3195a-2f67-1033-8994-a53eb149a944
gauss | None | None | 629ab718-2f67-1033-8996-a53eb149a944
riemann | None | None | 8bd472ea-2f67-1033-8998-a53eb149a944
euclid | None | None | ac5dc692-2f67-1033-899a-a53eb149a944
7.8.6. Import LDAP users¶
Run the following command to import one or more LDAP users:
# robin ldap import-users <ldap_server_name> <users> <tenant> <tenant_role> [<user_capabilities>]
--search-base <search_base>
|
Name of LDAP server to query for user info. |
|
Comma separated list of LDAP users to import. |
|
Tenant that all imported users will be made a member of |
|
User role for the tenant assigned to each imported user |
|
Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If it’s desired that no capabilities be granted to the user then specify ‘NoCapabilities’ on the command line |
|
Base DN for the LDAP group search |
Example:
# robin ldap import-users ldap1 newton,einstein,tesla t1 user
Successfully added multiple users: newton,einstein,tesla
7.8.7. Import LDAP group¶
Run the following command to import all members of an LDAP group:
# robin ldap import-group <ldap_server_name> <group> <tenant> <tenant_role> [<user_capabilities>]
--exclude-users <excluded_users>
--search-base <search_base>
|
Name of LDAP server to query for group info. |
|
Name of the LDAP group to import users from |
|
Tenant that all imported users will be made a member of |
|
User role for the tenant assigned to each imported user |
|
Optional comma separated list of tenant specific capabilities to assign to the each user being added. Note that if no capabilities are specified, then full capabilities for the specified role will be assigned. If it’s desired that no capabilities be granted to the user then specify ‘NoCapabilities’ on the command line |
|
Comma separated list of users to exclude from importation |
|
Base DN for the LDAP group search |
Example:
# robin ldap import-group ldap1 Italians t1 user
Imported LDAP users: volta
7.8.8. List LDAP Attributes¶
Run the following command to list LDAP attributes:
# robin ldap list-attributes --server-type <server_type>
--object-type <object_type>
|
Filter results based on LDAP server type. Valid choices are ‘OPEN_LDAP’ and ‘ACTIVE_DIRECTORY’ |
|
Filter results based on LDAP object type. Valid choices are ‘user’ and ‘group’ |
Example 1 (List all attributes for server type OPEN_LDAP):
# robin ldap list-attributes --server-type OPEN_LDAP
Server Type | Object Type | Attribute Name | Custom | Value
------------+-------------+---------------------+--------+-----------------------------------------------------------
OPEN_LDAP | | distinguished_name | | entryDN
OPEN_LDAP | | object_class | | objectClass
OPEN_LDAP | group | class_list | | ['posixGroup', 'groupOfNames', 'groupOfUniqueNames']
OPEN_LDAP | group | distinguished_name | | entryDN
OPEN_LDAP | group | group_name | | cn
OPEN_LDAP | group | members | | ['uniqueMember', 'member']
OPEN_LDAP | group | object_class | | objectClass
OPEN_LDAP | group | object_sid | | objectSid
OPEN_LDAP | user | class_list | | ['posixAccount', 'inetOrgPerson', 'organizationalPerson']
OPEN_LDAP | user | display_name | | displayName
OPEN_LDAP | user | distinguished_name | | entryDN
OPEN_LDAP | user | email_address | | emailAddress
OPEN_LDAP | user | first_name | | givenName
OPEN_LDAP | user | last_name | | sn
OPEN_LDAP | user | object_class | | objectClass
OPEN_LDAP | user | object_sid | | entryUUID
OPEN_LDAP | user | user_principal_name | | userPrincipalName
OPEN_LDAP | user | username | | ['uid', 'cn']
7.8.9. Update LDAP Attribute¶
Run the following command to update an LDAP attribute:
# robin ldap update-attribute <server_type> <object_type> <attribute_name> <value>
|
LDAP server type. Valid choices are ‘ACTIVE_DIRECTORY’ and ‘OPEN_LDAP’ |
|
LDAP object type. Valid choices are ‘user’, ‘group’, and ‘none’ |
|
LDAP attribute name |
|
LDAP attribute value |
Example:
# robin ldap update-attribute OPEN_LDAP group members member,uniqueMember
Successfully updated one or more LDAP attributes
Note
An LDAP attribute can apply globally (for a given server type) or it can
apply to a particular object type (user
or group
). When updating a
global attribute, specify none
for object type.
7.8.10. Reset LDAP Attribute¶
Run the following command to reset an LDAP attribute to its default value:
# robin ldap reset-attribute <server_type> <object_type> <attribute_name>
|
LDAP server type. Valid choices are ‘ACTIVE_DIRECTORY’ and ‘OPEN_LDAP’ |
|
LDAP object type. Valid choices are ‘user’, ‘group’, and ‘none’ |
|
LDAP attribute name |
Example:
# robin ldap reset-attribute OPEN_LDAP group members
Successfully updated one or more LDAP attributes
Note
An LDAP attribute can apply globally (for a given server type) or it can
apply to a particular object type (user
or group
). When updating a
global attribute, specify none
for object type.