W E K A
4.1
4.1
  • WEKA v4.1 documentation
  • WEKA System Overview
    • About the WEKA system
    • SSD capacity management
    • Filesystems, object stores, and filesystem groups
    • WEKA networking
    • Data lifecycle management
    • WEKA client and mount modes
    • WEKA containers architecture overview
    • Glossary
  • Getting Started with WEKA
    • Quick installation guide
    • Manage the system using the WEKA CLI
    • Manage the system using the WEKA GUI
    • Run first IOs with WEKA filesystem
    • Getting started with WEKA REST API
  • Planning and Installation
    • Prerequisites for installation
    • WEKA installation on bare metal
      • Plan the WEKA system Installation
      • Prepare the system for WEKA software installation
        • Enable the SR-IOV
      • Obtain the WEKA software installation package
      • WEKA cluster installation
        • WEKA legacy system installation process
      • Add clients
    • WEKA installation on AWS
      • Self-service portal
      • CloudFormation template generator
      • Deployment types
      • AWS outposts deployment
      • Supported EC2 instance types
      • Add clients
      • Auto scaling group
      • Troubleshooting
    • WEKA installation on Azure
    • WEKA installation on GCP
      • WEKA project description
      • Deployment on GCP using Terraform
      • GCP Terraform package description
      • Required services and supported regions
      • Supported machine types and storage
      • Auto-scale instances in GCP
      • Add clients
      • Troubleshooting
  • Performance
    • WEKA performance tests
      • Test environment details
  • WEKA Filesystems & Object Stores
    • Manage object stores
      • Manage object stores using the GUI
      • Manage object stores using the CLI
    • Manage filesystem groups
      • Manage filesystem groups using the GUI
      • Manage filesystem groups using the CLI
    • Manage filesystems
      • Manage filesystems using the GUI
      • Manage filesystems using the CLI
    • Attach or detach object store buckets
      • Attach or detach object store bucket using the GUI
      • Attach or detach object store buckets using the CLI
    • Advanced data lifecycle management
      • Advanced time-based policies for data storage location
      • Data management in tiered filesystems
      • Transition between tiered and SSD-only filesystems
      • Manual fetch and release of data
    • Mount filesystems
    • Snapshots
      • Manage snapshots using the GUI
      • Manage snapshots using the CLI
    • Snap-To-Object
      • Manage Snap-To-Object using the GUI
      • Manage Snap-To-Object using the CLI
    • Quota management
      • Manage quotas using the GUI
      • Manage quotas using the CLI
  • Additional Protocols
    • Manage the NFS protocol
      • Supported NFS client mount options
      • Manage NFS networking using the GUI
      • Manage NFS networking using the CLI
    • Manage the SMB protocol
      • Manage SMB using the GUI
      • Manage SMB using the CLI
    • Manage the S3 protocol
      • S3 cluster management
        • Manage the S3 service using the GUI
        • Manage the S3 service using the CLI
      • S3 buckets management
        • Manage S3 buckets using the GUI
        • Manage S3 buckets using the CLI
      • S3 users and authentication
        • Manage S3 users and authentication using the CLI
        • Manage S3 service accounts using the CLI
      • S3 rules information lifecycle management (ILM)
        • Manage S3 lifecycle rules using the GUI
        • Manage S3 lifecycle rules using the CLI
      • Audit S3 APIs
        • Configure audit webhook using the GUI
        • Configure audit webhook using the CLI
        • Example: How to use Splunk to audit S3
      • S3 supported APIs and limitations
      • S3 examples using boto3
  • Operation Guide
    • Alerts
      • Manage alerts using the GUI
      • Manage alerts using the CLI
      • List of alerts and corrective actions
    • Events
      • Manage events using the GUI
      • Manage events using the CLI
      • List of events
    • Statistics
      • Manage statistics using the GUI
      • Manage statistics using the CLI
      • List of statistics
    • System congestion
    • Security management
      • Obtain authentication tokens
      • KMS management
        • Manage KMS using the GUI
        • Manage KMS using the CLI
      • TLS certificate management
        • Manage the TLS certificate using the GUI
        • Manage the TLS certificate using the CLI
      • CA certificate management
        • Manage the CA certificate using the GUI
        • Manage the CA certificate using the CLI
      • Account lockout threshold policy management
        • Manage the account lockout threshold policy using GUI
        • Manage the account lockout threshold policy using CLI
      • Manage the login banner
        • Manage the login banner using the GUI
        • Manage the login banner using the CLI
    • User management
      • Manage users using the GUI
      • Manage users using the CLI
    • Organizations management
      • Manage organizations using the GUI
      • Manage organizations using the CLI
      • Mount authentication for organization filesystems
    • Expand and shrink cluster resources
      • Add a backend server in a multiple containers architecture
      • Add a backend server in a legacy architecture
      • Expand specific resources of a container
      • Shrink a cluster
    • Background tasks
    • Upgrade WEKA versions
  • Billing & Licensing
    • License overview
    • Classic license
    • Pay-As-You-Go license
  • Support
    • Prerequisites and compatibility
    • Get support for your WEKA system
    • Diagnostics management
      • Traces management
        • Manage traces using the GUI
        • Manage traces using the CLI
      • Protocols debug level management
        • Manage protocols debug level using the GUI
        • Manage protocols debug level using the CLI
      • Diagnostics data management
    • Weka Home - The WEKA support cloud
      • Local Weka Home overview
      • Local Weka Home deployment
      • Set the Local Weka Home to send alerts or events
      • Download the Usage Report or Analytics
  • Appendix
    • WEKA CSI Plugin
    • Set up the WEKAmon external monitoring
    • Set up the SnapTool external snapshots manager
  • REST API Reference Guide
Powered by GitBook
On this page
  • Create a local user
  • Change a local user password
  • Revoke user access
  • Update a local user
  • Delete a local user
  • User sign in
  • Authenticate users from an LDAP user directory
  • Configure an LDAP user directory
  • View a configured LDAP User Directory
  • Disable or enable a configured LDAP user directory
  1. Operation Guide
  2. User management

Manage users using the CLI

This page describes the management of users licensed to work with the WEKA system.

PreviousManage users using the GUINextOrganizations management

Last updated 2 years ago

Using the CLI, you can:

Create a local user

Command: weka user add

Use the following command line to create a local user:

weka user add <username> <role> [password] [--posix-uid uid] [--posix-gid gid]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

username

String

Name for the new user

Yes

role

String

Role of the new created user

regular, s3,readonly, orgadmin or clusteradmin

Yes

password

String

New user password

No

If not supplied, command will prompt to supply the password

posix-uid

Number

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials

For S3 user roles only

No

0

posix-gid

Number

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials

For S3 user roles only

No

0

Example:

$ weka user add my_new_user regular S3cret

This command line creates a user with a username of my_new_user, a password of S3cret and a role of a Regular user. It is then possible to display a list of users and verify that the user was created:

$ weka user
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular
admin       | Internal | Admin

Using the weka user whoami command, it is possible to receive information about the current user running the command.

To use the new user credentials, use theWEKA_USERNAME and WEKA_PASSWORDenvironment variables:

$ WEKA_USERNAME=my_new_user WEKA_PASSWORD=S3cret weka user whoami
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular

Change a local user password

Command: weka user passwd

Use the following command line to change a local user password:

weka user passwd <password> [--username username]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

password

String

New password

Yes

username

String

Name of the user to change the password for

Must be a valid local user

No

Current logged-in user

Note: If necessary, provide or setWEKA_USERNAME or WEKA_PASSWORD.

Revoke user access

Command: weka user revoke-tokens

Use the following command to revoke internal user access to the system and mounting filesystems:

weka user revoke-tokens <username>

You can revoke the access for LDAP users by changing the user-revocation-attribute defined in the LDAP server configuration.

Parameters

Name

Type

Value

Limitations

Mandatory

Default

username

String/Integer

A valid user in the organization of the Organization Admin running the command

Yes

Note: NFS and SMB are different protocols from WekaFS, which require additional security considerations when used. For example, The system grants NFS permissions per server. Therefore, manage the permissions for accessing these servers for NFS export carefully.

Update a local user

Command: weka user update

Use the following command line to update a local user:

weka user update <username> [--role role] [--posix-uid uid] [--posix-gid gid]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

username

String

Name of an existing user

Must be a valid local user

Yes

role

String

Updated user role

regular, s3,readonly, orgadmin or clusteradmin

No

posix-uid

Number

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials

For S3 user roles only

No

posix-gid

Number

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials

For S3 user roles only

No

Delete a local user

Command: weka user delete

To delete a user, use the following command line:

weka user delete <username>

Parameters

Name

Type

Value

Limitations

Mandatory

Default

username

String

Name of the user to delete

Must be a valid local user

Yes

Example:

$ weka user add my_new_user

Then run theweka user command to verify that the user was deleted:

$ weka user
Username | Source   | Role
---------+----------+------
admin    | Internal | Admin

User sign in

When a login is attempted, the user is first searched in the list of internal users, i.e., users created using theweka user add command.

On each successful login, a UserLoggedIn event is issued, containing the username, role and whether the user is an internal or LDAP user.

When a login fails, an "Invalid username or password" message is displayed and a UserLoginFailed event is issued, containing the username and the reason for the login failure.

When users open the GUI, they are prompted to provide their username and password. To pass username and password to the CLI, use the WEKA_USERNAME and WEKA_PASSWORD environment variables.

Alternatively, it is possible to log into the CLI as a specific user using theweka user login <username> <password>command. This will run each CLI command from that user. When a user logs in, a token file is created to be used for authentication (default to ~/.weka/auth-token.json, which can be changed using the --path attribute). To see the logged-in CLI user, run theweka user whoami command.

Note: Theweka user login command is persistent, but only applies to the server on which it was set.

Note: If theWEKA_USERNAME/WEKA_PASSWORD environment variables are not specified, the CLI uses the default token file. If no CLI user is explicitly logged-in, and no token file is present the CLI uses the default admin/admin.

To use a non-default path for the token file, use the WEKA_TOKEN environment variable.

Authenticate users from an LDAP user directory

To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows.

Configure an LDAP user directory

Command: weka user ldap setup weka user ldap setup-ad

One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server.

To configure an LDAP server, use the following command line:

weka user ldap setup <server-uri> <base-dn> <user-object-class> <user-id-attribute> <group-object-class> <group-membership-attribute> <group-id-attribute> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]

To configure an Active Directory server, use the following command line:

weka user ldap setup-ad <server-uri> <domain> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]

Parameters

Name

Type

Value

Limitations

Mandatory

Default

server-uri

String

Either the LDAP server hostname/IP or a URI

URI must be in format ldap://hostname:port or ldaps://hostname:port

Yes

base-dn

String

Base DN under which users are stored

Must be valid name

Yes

user-id-attribute

String

Attribute storing user IDs

Must be valid name

Yes

user-object-class

String

Object class of users

Must be valid name

Yes

group-object-class

String

Object class of groups

Must be valid name

Yes

group-membership-attribute

String

Attribute of group containing the DN of a user membership in the group

Must be valid name

Yes

group-id-attribute

String

Attribute storing the group name

Name has to match names used in the <admin-group>, <regular group> and <readonly group>

Yes

reader-username and reader-password

String

Credentials of a user with read access to the directory

Password is kept in the Weka cluster configuration in plain text, as it is used to authenticate against the directory during user authentication

Yes

cluster-admin-group

String

Name of group containing users defined with cluster admin role

Must be valid name

Yes

org-admin-group

String

Name of group containing users defined with organization admin role

Must be valid name

Yes

regular-group

String

Name of group containing users defined with regular privileges

Must be valid name

Yes

readonly-group

String

Name of group containing users defined with read only privileges

Must be valid name

Yes

server-timeout-secs

Number

Server connection timeout

Seconds

No

protocol-version

String

Selection of LDAP version

LDAP v2 or v3

No`

LDAP v3

user-revocation-attribute

String

The LDAP attribute; when its value changes in the LDAP directory, user access and mount tokens are revoked

User must re-login after a change is detected

No

start-tls

String

Issue StartTLS after connecting

yes or no

should not be used with ldaps://

No

no

ignore-start-tls-failure

String

Ignore start TLS failure

yes or no

No

no

View a configured LDAP User Directory

Command: weka user ldap

This command is used for viewing the current LDAP configuration used for authenticating users.

Disable or enable a configured LDAP user directory

Command: weka user ldap disable weka user ldap enable

These commands are used for disabling or enabling user authentication through a configured LDAP user directory.

Note: You can only disable an LDAP configuration, but not delete it.

However, if a user does not exist in the Weka system but does exist in an LDAP directory, it is possible to to the Weka system. This will enable a search for the user in the directory, followed by password verification.

Create a local user
Change a local user password
Revoke user access
Update a local user
Delete a local user
Authenticate users from an LDAP user directory
configure the LDAP user directory