Manage users using the CLI
Explore the management of users licensed to work with the WEKA system using the CLI.
User login process overview
In the WEKA user login process (sign-in), the following steps outline the authentication and user management:
Local user login: When users log in, the system initially searches for them within the list of local users (internal users), specifically those created using the
weka user add
command.LDAP integration: in cases where a user isn't internally registered but exists in an LDAP directory, there's an option to integrate the LDAP user directory with the WEKA system. This integration allows the system to search for the user in the directory and perform password verification.
Login events: Successful logins trigger a
UserLoggedIn
event, which provides essential details such as the username, role, and user type (internal or LDAP). On the other hand, unsuccessful logins prompt an "Invalid username or password" message and trigger aUserLoginFailedevent
, which contains the username and the reason for the failure.GUI login: The GUI login process requires users to input their username and password. Users can leverage the WEKA_USERNAME and WEKA_PASSWORD environment variables to pass this information to the CLI.
CLI login: Users can log in with a specific identity using the
weka user login <username> <password>
command for CLI access. This establishes the user context for each subsequent CLI command. Upon logging in, a token file is generated for authentication, with the default path set to~/.weka/auth-token.json
(adjustable using the--path
attribute). You can use theweka user whoami
command to check the CLI user who is currently logged in.Persistence and defaults: The
weka user login
command's persistence applies only to the server where it is set. If the WEKA_USERNAME and WEKA_PASSWORD environment variables are unspecified, the CLI defaults to the token file. In cases where no CLI user is explicitly logged in, and no token file is present, the CLI resorts to the default 'admin/admin' credentials.Custom token file path: Users who prefer a non-default path for the token file can use the
WEKA_TOKEN
environment variable.
To perform various operations through the CLI, you can:
Create a local user
Command: weka user add
Use the following command line to create a local user:
weka user add <username> <role> [password] [--posix-uid uid] [--posix-gid gid]
Parameters
Example:
$ weka user add my_new_user regular S3cret
This command line creates a user with a username of my_new_user
, a password of S3cret
and a role of a Regular user. It is then possible to display a list of users and verify that the user was created:
Using the weka user whoami
command, it is possible to receive information about the current user running the command.
To use the new user credentials, use theWEKA_USERNAME
and WEKA_PASSWORD
environment variables:
Log-in to the WEKA cluster
Command: weka user login
Use the following command to log a user into the WEKA cluster. If login is successful, the user credentials are saved to the user's home directory.
weka user login [username] [password] [--org org] [--path path]
Parameters
Manage authentication tokens in WEKA
The --path
parameter is used to control the directory and file where the authentication token is written. The specified path, which includes the filename, can then be assigned to the WEKA_TOKEN
environment variable.
Example 1: Using the --path
parameter
The following example demonstrates how to log in and specify the path for the authentication token. After logging in, the path is set to the WEKA_TOKEN
environment variable.
Example 2: Using the WEKA_TOKEN
environment variable
Alternatively, you can set the WEKA_TOKEN
environment variable first, which removes the need to use the --path
parameter during the login process.
Related topic
Change a local user password
Command: weka user passwd
Use the following command to change a local user password:
weka user passwd <password> [--username username]
Parameters
If necessary, provide or set
WEKA_USERNAME
orWEKA_PASSWORD.
To regain access to the system after changing the password, the user must re-authenticate using the new password.
Revoke user access
Command: weka user revoke-tokens
Use the following command to revoke internal user access to the system and mounting filesystems:
weka user revoke-tokens <username>
You can revoke the access for LDAP users by changing the user-revocation-attribute
defined in the LDAP server configuration.
Parameters
NFS and SMB are different protocols from WekaFS, which require additional security considerations when used. For example, The system grants NFS permissions per server. Therefore, manage the permissions for accessing these servers for NFS export carefully.
Update a local user
Command: weka user update
Use the following command line to update a local user:
weka user update <username> [--role role] [--posix-uid uid] [--posix-gid gid]
Parameters
Delete a local user
Command: weka user delete
To delete a user, use the following command line:
weka user delete <username>
Parameters
Example:
$ weka user add my_new_user
Then run theweka user
command to verify that the user was deleted:
Authenticate users from an LDAP user directory
To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows.
Configure an LDAP user directory
Command:
weka user ldap setup
weka user ldap setup-ad
One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server.
To configure an LDAP server, use the following command line:
weka user ldap setup <server-uri> <base-dn> <user-object-class> <user-id-attribute> <group-object-class> <group-membership-attribute> <group-id-attribute> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]
To configure an Active Directory server, use the following command line:
weka user ldap setup-ad <server-uri> <domain> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]
Parameters
The sAMAccountName
(user logon name) in the Cluster Admin, Organization Admin, Regular User, and Read-only User Role Groups can be up to 20 characters long.
View a configured LDAP User Directory
Command:
weka user ldap
This command is used for viewing the current LDAP configuration used for authenticating users.
Disable or enable a configured LDAP user directory
Command:
weka user ldap disable
weka user ldap enable
These commands are used for disabling or enabling user authentication through a configured LDAP user directory.
You can only disable an LDAP configuration, but not delete it.
Last updated