W E K A
4.3
4.3
  • WEKA v4.3 documentation
    • Documentation revision history
  • WEKA System Overview
    • WEKA Data Platform introduction
      • WEKA system functionality features
      • Converged WEKA system deployment
      • Optimize redundancy in WEKA deployments
    • SSD capacity management
    • Filesystems, object stores, and filesystem groups
    • WEKA networking
    • Data lifecycle management
    • WEKA client and mount modes
    • WEKA containers architecture overview
    • Glossary
  • Planning and Installation
    • Prerequisites and compatibility
    • WEKA cluster installation on bare metal servers
      • Plan the WEKA system hardware requirements
      • Obtain the WEKA installation packages
      • Install the WEKA cluster using the WMS with WSA
      • Install the WEKA cluster using the WSA
      • Manually install OS and WEKA on servers
      • Manually prepare the system for WEKA configuration
        • Broadcom adapter setup for WEKA system
        • Enable the SR-IOV
      • Configure the WEKA cluster using the WEKA Configurator
      • Manually configure the WEKA cluster using the resource generator
      • Perform post-configuration procedures
      • Add clients to an on-premises WEKA cluster
    • WEKA Cloud Deployment Manager Web (CDM Web) User Guide
    • WEKA Cloud Deployment Manager Local (CDM Local) User Guide
    • WEKA installation on AWS
      • WEKA installation on AWS using Terraform
        • Terraform-AWS-WEKA module description
        • Deployment on AWS using Terraform
        • Required services and supported regions
        • Supported EC2 instance types using Terraform
        • WEKA cluster auto-scaling in AWS
        • Detailed deployment tutorial: WEKA on AWS using Terraform
      • WEKA installation on AWS using the Cloud Formation
        • Self-service portal
        • CloudFormation template generator
        • Deployment types
        • AWS Outposts deployment
        • Supported EC2 instance types using Cloud Formation
        • Add clients to a WEKA cluster on AWS
        • Auto scaling group
        • Troubleshooting
      • Install SMB on AWS
    • WEKA installation on Azure
    • WEKA installation on GCP
      • WEKA project description
      • GCP-WEKA deployment Terraform package description
      • Deployment on GCP using Terraform
      • Required services and supported regions
      • Supported machine types and storage
      • Auto-scale instances in GCP
      • Add clients to a WEKA cluster on GCP
      • Troubleshooting
      • Detailed deployment tutorial: WEKA on GCP using Terraform
      • Google Kubernetes Engine and WEKA over POSIX deployment
  • Getting Started with WEKA
    • Manage the system using the WEKA GUI
    • Manage the system using the WEKA CLI
      • WEKA CLI hierarchy
      • CLI reference guide
    • Run first IOs with WEKA filesystem
    • Getting started with WEKA REST API
    • WEKA REST API and equivalent CLI commands
  • Performance
    • WEKA performance tests
      • Test environment details
  • WEKA Filesystems & Object Stores
    • Manage object stores
      • Manage object stores using the GUI
      • Manage object stores using the CLI
    • Manage filesystem groups
      • Manage filesystem groups using the GUI
      • Manage filesystem groups using the CLI
    • Manage filesystems
      • Manage filesystems using the GUI
      • Manage filesystems using the CLI
    • Attach or detach object store buckets
      • Attach or detach object store bucket using the GUI
      • Attach or detach object store buckets using the CLI
    • Advanced data lifecycle management
      • Advanced time-based policies for data storage location
      • Data management in tiered filesystems
      • Transition between tiered and SSD-only filesystems
      • Manual fetch and release of data
    • Mount filesystems
      • Mount filesystems from Single Client to Multiple Clusters (SCMC)
    • Snapshots
      • Manage snapshots using the GUI
      • Manage snapshots using the CLI
    • Snap-To-Object
      • Manage Snap-To-Object using the GUI
      • Manage Snap-To-Object using the CLI
    • Quota management
      • Manage quotas using the GUI
      • Manage quotas using the CLI
  • Additional Protocols
    • Additional protocol containers
    • Manage the NFS protocol
      • Supported NFS client mount parameters
      • Manage NFS networking using the GUI
      • Manage NFS networking using the CLI
    • Manage the S3 protocol
      • S3 cluster management
        • Manage the S3 service using the GUI
        • Manage the S3 service using the CLI
      • S3 buckets management
        • Manage S3 buckets using the GUI
        • Manage S3 buckets using the CLI
      • S3 users and authentication
        • Manage S3 users and authentication using the CLI
        • Manage S3 service accounts using the CLI
      • S3 rules information lifecycle management (ILM)
        • Manage S3 lifecycle rules using the GUI
        • Manage S3 lifecycle rules using the CLI
      • Audit S3 APIs
        • Configure audit webhook using the GUI
        • Configure audit webhook using the CLI
        • Example: How to use Splunk to audit S3
      • S3 supported APIs and limitations
      • S3 examples using boto3
      • Access S3 using AWS CLI
    • Manage the SMB protocol
      • Manage SMB using the GUI
      • Manage SMB using the CLI
  • Operation Guide
    • Alerts
      • Manage alerts using the GUI
      • Manage alerts using the CLI
      • List of alerts and corrective actions
    • Events
      • Manage events using the GUI
      • Manage events using the CLI
      • List of events
    • Statistics
      • Manage statistics using the GUI
      • Manage statistics using the CLI
      • List of statistics
    • Insights
    • System congestion
    • Security management
      • Obtain authentication tokens
      • KMS management
        • Manage KMS using the GUI
        • Manage KMS using the CLI
      • TLS certificate management
        • Manage the TLS certificate using the GUI
        • Manage the TLS certificate using the CLI
      • CA certificate management
        • Manage the CA certificate using the GUI
        • Manage the CA certificate using the CLI
      • Account lockout threshold policy management
        • Manage the account lockout threshold policy using GUI
        • Manage the account lockout threshold policy using CLI
      • Manage the login banner
        • Manage the login banner using the GUI
        • Manage the login banner using the CLI
      • Manage Cross-Origin Resource Sharing
    • User management
      • Manage users using the GUI
      • Manage users using the CLI
    • Organizations management
      • Manage organizations using the GUI
      • Manage organizations using the CLI
      • Mount authentication for organization filesystems
    • Expand and shrink cluster resources
      • Add a backend server
      • Expand specific resources of a container
      • Shrink a cluster
    • Background tasks
      • Set up a Data Services container for background tasks
      • Manage background tasks using the GUI
      • Manage background tasks using the CLI
    • Upgrade WEKA versions
  • Licensing
    • License overview
    • Classic license
  • Monitor the WEKA Cluster
    • Deploy monitoring tools using the WEKA Management Station (WMS)
    • WEKA Home - The WEKA support cloud
      • Local WEKA Home overview
      • Deploy Local WEKA Home v3.0 or higher
      • Deploy Local WEKA Home v2.x
      • Explore cluster insights and statistics
      • Manage alerts and integrations
      • Enforce security and compliance
      • Optimize support and data management
    • Set up the WEKAmon external monitoring
    • Set up the SnapTool external snapshots manager
  • Support
    • Get support for your WEKA system
    • Diagnostics management
      • Traces management
        • Manage traces using the GUI
        • Manage traces using the CLI
      • Protocols debug level management
        • Manage protocols debug level using the GUI
        • Manage protocols debug level using the CLI
      • Diagnostics data management
  • Best Practice Guides
    • WEKA and Slurm integration
      • Avoid conflicting CPU allocations
    • Storage expansion best practice
  • WEKApod
    • WEKApod Data Platform Appliance overview
    • WEKApod servers overview
    • Rack installation
    • WEKApod initial system setup and configuration
    • WEKApod support process
  • Appendices
    • WEKA CSI Plugin
      • Deployment
      • Storage class configurations
      • Tailor your storage class configuration with mount options
      • Dynamic and static provisioning
      • Launch an application using WEKA as the POD's storage
      • Add SELinux support
      • NFS transport failback
      • Upgrade legacy persistent volumes for capacity enforcement
      • Troubleshooting
    • Convert cluster to multi-container backend
    • Create a client image
    • Update WMS and WSA
    • BIOS tool
Powered by GitBook
On this page
  • User login process overview
  • Create a local user
  • Log-in to the WEKA cluster
  • Change a local user password
  • Revoke user access
  • Update a local user
  • Delete a local user
  • Authenticate users from an LDAP user directory
  • Configure an LDAP user directory
  • View a configured LDAP User Directory
  • Disable or enable a configured LDAP user directory
  1. Operation Guide
  2. User management

Manage users using the CLI

Explore the management of users licensed to work with the WEKA system using the CLI.

PreviousManage users using the GUINextOrganizations management

Last updated 8 months ago

User login process overview

In the WEKA user login process (sign-in), the following steps outline the authentication and user management:

  • Local user login: When users log in, the system initially searches for them within the list of local users (internal users), specifically those created using the weka user add command.

  • LDAP integration: in cases where a user isn't internally registered but exists in an LDAP directory, there's an option to integrate the LDAP user directory with the WEKA system. This integration allows the system to search for the user in the directory and perform password verification.

  • Login events: Successful logins trigger a UserLoggedIn event, which provides essential details such as the username, role, and user type (internal or LDAP). On the other hand, unsuccessful logins prompt an "Invalid username or password" message and trigger a UserLoginFailedevent, which contains the username and the reason for the failure.

  • GUI login: The GUI login process requires users to input their username and password. Users can leverage the WEKA_USERNAME and WEKA_PASSWORD environment variables to pass this information to the CLI.

  • CLI login: Users can log in with a specific identity using the weka user login <username> <password> command for CLI access. This establishes the user context for each subsequent CLI command. Upon logging in, a token file is generated for authentication, with the default path set to ~/.weka/auth-token.json (adjustable using the --path attribute). You can use the weka user whoami command to check the CLI user who is currently logged in.

  • Persistence and defaults: The weka user login command's persistence applies only to the server where it is set. If the WEKA_USERNAME and WEKA_PASSWORD environment variables are unspecified, the CLI defaults to the token file. In cases where no CLI user is explicitly logged in, and no token file is present, the CLI resorts to the default 'admin/admin' credentials.

  • Custom token file path: Users who prefer a non-default path for the token file can use the WEKA_TOKEN environment variable.

To perform various operations through the CLI, you can:

Create a local user

Command: weka user add

Use the following command line to create a local user:

weka user add <username> <role> [password] [--posix-uid uid] [--posix-gid gid]

Parameters

Name
Value
Default

username*

Name for the new user

role

Role of the new created user. Possible values: regular, s3,readonly, orgadmin or clusteradmin

password

New user password. If not supplied, the command prompts to supply the password.

posix-uid

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

0

posix-gid

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

0

Example:

$ weka user add my_new_user regular S3cret

This command line creates a user with a username of my_new_user, a password of S3cret and a role of a Regular user. It is then possible to display a list of users and verify that the user was created:

$ weka user
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular
admin       | Internal | Admin

Using the weka user whoami command, it is possible to receive information about the current user running the command.

To use the new user credentials, use theWEKA_USERNAME and WEKA_PASSWORDenvironment variables:

$ WEKA_USERNAME=my_new_user WEKA_PASSWORD=S3cret weka user whoami
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular

Log-in to the WEKA cluster

Command: weka user login

Use the following command to log a user into the WEKA cluster. If login is successful, the user credentials are saved to the user's home directory.

weka user login [username] [password] [--org org] [--path path]

Parameters

Parameter
Description

username*

User's username

password*

User's password

org

Organization name or ID

path

The path where the login token will be saved (default: ~/.weka/auth-token.json). This path can also be specified using the WEKA_TOKEN environment variable.

After logging-in, use the WEKA_TOKEN environment variable to specify where the login token is located.

Manage authentication tokens in WEKA

The --path parameter is used to control the directory and file where the authentication token is written. The specified path, which includes the filename, can then be assigned to the WEKA_TOKEN environment variable.

Example 1: Using the --path parameter

The following example demonstrates how to log in and specify the path for the authentication token. After logging in, the path is set to the WEKA_TOKEN environment variable.

weka user login user1 password1 --path /home/user1/.weka/user1-token.json
export WEKA_TOKEN=/home/user1/.weka/user1-token.json

Example 2: Using the WEKA_TOKEN environment variable

Alternatively, you can set the WEKA_TOKEN environment variable first, which removes the need to use the --path parameter during the login process.

export WEKA_TOKEN=/home/user1/.weka/user1-token.json
weka user login user1 password1

Related topic

Obtain authentication tokens

Change a local user password

Command: weka user passwd

Use the following command to change a local user password:

weka user passwd <password> [--username username]

Parameters

Name
Value
Default

password*

New password

username

Name of the user to change the password for. It must be a valid local user.

The current logged-in user

  • If necessary, provide or setWEKA_USERNAME or WEKA_PASSWORD.

  • To regain access to the system after changing the password, the user must re-authenticate using the new password.

Revoke user access

Command: weka user revoke-tokens

Use the following command to revoke internal user access to the system and mounting filesystems:

weka user revoke-tokens <username>

You can revoke the access for LDAP users by changing the user-revocation-attribute defined in the LDAP server configuration.

Parameters

Name
Value

username*

A valid user in the organization of the Organization Admin running the command.

NFS and SMB are different protocols from WekaFS, which require additional security considerations when used. For example, The system grants NFS permissions per server. Therefore, manage the permissions for accessing these servers for NFS export carefully.

Update a local user

Command: weka user update

Use the following command line to update a local user:

weka user update <username> [--role role] [--posix-uid uid] [--posix-gid gid]

Parameters

Name
Value

username*

Name of an existing user. It must be a valid local user.

role

Updated user role. Possible values: regular, s3,readonly, orgadmin or clusteradmin

posix-uid

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

posix-gid

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

Delete a local user

Command: weka user delete

To delete a user, use the following command line:

weka user delete <username>

Parameters

Name
Value

username*

Name of the user to delete. It must be a valid local user.

Example:

$ weka user add my_new_user

Then run theweka user command to verify that the user was deleted:

$ weka user
Username | Source   | Role
---------+----------+------
admin    | Internal | Admin

Authenticate users from an LDAP user directory

To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows.

Configure an LDAP user directory

Command: weka user ldap setup weka user ldap setup-ad

One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server.

To configure an LDAP server, use the following command line:

weka user ldap setup <server-uri> <base-dn> <user-object-class> <user-id-attribute> <group-object-class> <group-membership-attribute> <group-id-attribute> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]

To configure an Active Directory server, use the following command line:

weka user ldap setup-ad <server-uri> <domain> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]

Parameters

Name
Value
Default

server-uri*

Either the LDAP server hostname/IP or a URI. Format: ldap://hostname:port or ldaps://hostname:port

base-dn*

Base DN under which users are stored. It must be a valid name.

user-id-attribute*

Attribute storing user IDs. It must be a valid name.

user-object-class*

Object class of users. It must be a valid name.

group-object-class*

Object class of groups. It must be a valid name.

group-membership-attribute*

Attribute of group containing the DN of a user membership in the group. It must be a valid name.

group-id-attribute*

Attribute storing the group name. The name must match the names used in the <admin-group>, <regular group> and <readonly group>

reader-username and reader-password*

Credentials of a user with read access to the directory. The password is kept in the Weka cluster configuration in plain text, as it is used to authenticate against the directory during user authentication.

cluster-admin-group*

Name of group containing users defined with cluster admin role. It must be a valid name.

org-admin-group*

Name of group containing users defined with organization admin role. It must be a valid name.

regular-group*

Name of group containing users defined with regular privileges. It must be a valid name.

readonly-group*

Name of group containing users defined with read only privileges. It must be a valid name.

server-timeout-secs

Server connection timeout in seconds.

protocol-version

Selection of LDAP version. Possible values: LDAP v2 or LDAP v3

LDAP v3

user-revocation-attribute

The LDAP attribute; when its value changes in the LDAP directory, user access and mount tokens are revoked. The user must re-login after a change is detected.

start-tls

Issue StartTLS after connecting. Possible values: yes or no Do not use with ldaps://

no

ignore-start-tls-failure

Ignore start TLS failure. Possible values: yes or no

no

The sAMAccountName (user logon name) in the Cluster Admin, Organization Admin, Regular User, and Read-only User Role Groups can be up to 20 characters long.

View a configured LDAP User Directory

Command: weka user ldap

This command is used for viewing the current LDAP configuration used for authenticating users.

Disable or enable a configured LDAP user directory

Command: weka user ldap disable weka user ldap enable

These commands are used for disabling or enabling user authentication through a configured LDAP user directory.

You can only disable an LDAP configuration, but not delete it.

Create a local user
Log-in to the WEKA cluster
Change a local user password
Revoke user access
Update a local user
Delete a local user
Authenticate users from an LDAP user directory