# Manage users using the CLI Using the CLI, you can: * [Create a local user](#create-a-local-user) * [Log-in to the WEKA cluster](#log-in-to-the-weka-cluster) * [Change a local user password](#change-a-local-user-password) * [Revoke user access](#revoke-user-access) * [Update a local user](#update-a-local-user) * [Delete a local user](#delete-a-local-user) * [Authenticate users from an LDAP user directory](#authenticate-users-from-an-ldap-user-directory) ## Create a local user **Command:** `weka user add` Use the following command line to create a local user: `weka user add [password] [--posix-uid uid] [--posix-gid gid]` **Parameters**
NameValueDefault
username*Name for the new user
roleRole of the new created user.
Possible values: clusteradmin, csi, orgadmin, readonly, regular, s3
passwordNew user password.
If not supplied, the command prompts to supply the password.
posix-uidPOSIX UID of underlying files representing objects created by this S3 user access/keys credentials.
For S3 user roles only.		0
posix-gidPOSIX GID of underlying files representing objects created by this S3 user access/keys credentials.
For S3 user roles only.		0
{% hint style="success" %} **Example:** `$ weka user add my_new_user regular S3cret` This command line creates a user with a username of `my_new_user`, a password of `S3cret` and a role of a Regular user. {% endhint %} ### Display list of users Run the `weka user` command to display the list of users defined in WEKA. ``` $ weka user Username | Source | Role ------------+----------+-------- my_new_user | Internal | Regular admin | Internal | Admin ``` ### Display current user information Run the `weka user whoami` command to receive information about the current user running the command. To use the new user credentials, use the`WEKA_USERNAME` and `WEKA_PASSWORD`environment variables: ``` $ WEKA_USERNAME=my_new_user WEKA_PASSWORD=S3cret weka user whoami Username | Source | Role ------------+----------+-------- my_new_user | Internal | Regular ``` ## Log-in to the WEKA cluster **Command:** `weka user login` Use the following command to log a user into the WEKA cluster. If login is successful, the user credentials are saved to the user's home directory. `weka user login [username] [password] [--org org] [--path path]` **Parameters**
ParameterDescription
username*User's username
password*User's password
orgOrganization name or ID
path

The path where the login token will be saved (default: ~/.weka/auth-token.json). This path can also be specified using the WEKA_TOKEN environment variable.

After logging-in, use the WEKA_TOKEN environment variable to specify where the login token is located.

{% hint style="success" %} **Manage authentication tokens in WEKA** The `--path` parameter is used to control the directory and file where the authentication token is written. The specified path, which includes the filename, can then be assigned to the `WEKA_TOKEN` environment variable. **Example 1: Using the `--path` parameter** The following example demonstrates how to log in and specify the path for the authentication token. After logging in, the path is set to the `WEKA_TOKEN` environment variable. ```sh weka user login user1 password1 --path /home/user1/.weka/user1-token.json export WEKA_TOKEN=/home/user1/.weka/user1-token.json ``` **Example 2: Using the `WEKA_TOKEN` environment variable** Alternatively, you can set the `WEKA_TOKEN` environment variable first, which removes the need to use the `--path` parameter during the login process. ```sh export WEKA_TOKEN=/home/user1/.weka/user1-token.json weka user login user1 password1 ``` {% endhint %} **Related topic** [obtain-authentication-tokens](https://docs.weka.io/security/obtain-authentication-tokens "mention") ## Change a local user password **Command:** `weka user passwd` Use the following command to change a local user password: `weka user passwd [--username username]` **Parameters**
NameValueDefault
password*New password
usernameName of the user to change the password for.
It must be a valid local user.		The current logged-in user
{% hint style="info" %} * If necessary, provide or set`WEKA_USERNAME` or `WEKA_PASSWORD.` * To regain access to the system after changing the password, the user must re-authenticate using the new password. {% endhint %} ## Revoke user access **Command:** `weka user revoke-tokens` Use the following command to revoke internal user access to the system and mounting filesystems: `weka user revoke-tokens ` You can revoke the access for LDAP users by changing the `user-revocation-attribute` defined in the LDAP server configuration. **Parameters**
NameValue
username*A valid user in the organization of the Organization Admin running the command.
{% hint style="warning" %} NFS and SMB are different protocols from WekaFS, which require additional security considerations when used. For example, The system grants NFS permissions per server. Therefore, manage the permissions for accessing these servers for NFS export carefully. {% endhint %} ## Update a local user **Command:** `weka user update` Use the following command line to update a local user: `weka user update [--role role] [--posix-uid uid] [--posix-gid gid]` **Parameters**
NameValue
username*Name of an existing user.
It must be a valid local user.
roleUpdated user role.
Possible values: regular, s3,readonly, orgadmin or clusteradmin
posix-uidPOSIX UID of underlying files representing objects created by this S3 user access/keys credentials.
For S3 user roles only.
posix-gidPOSIX GID of underlying files representing objects created by this S3 user access/keys credentials.
For S3 user roles only.
## Delete a local user **Command:** `weka user delete` To delete a user, use the following command line: `weka user delete ` **Parameters**
NameValue
username*Name of the user to delete.
It must be a valid local user.
{% hint style="success" %} **Example:** `$ weka user add my_new_user` Then run the`weka user` command to verify that the user was deleted: ``` $ weka user Username | Source | Role ---------+----------+------ admin | Internal | Admin ``` {% endhint %} ## Authenticate users from an LDAP user directory To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows. ### Configure an LDAP user directory **Command:**\ `weka user ldap setup`\ `weka user ldap setup-ad` One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server. To configure an LDAP server, use the following command line: `weka user ldap setup [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]` To configure an Active Directory server, use the following command line: `weka user ldap setup-ad [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]` **Parameters**
NameValueDefault
server-uri*Either the LDAP server hostname/IP or a URI.
Format: ldap://hostname:port or ldaps://hostname:port
base-dn*Base DN under which users are stored.
It must be a valid name.
user-id-attribute*Attribute storing user IDs.
It must be a valid name.
user-object-class*Object class of users.
It must be a valid name.
group-object-class*Object class of groups.
It must be a valid name.
group-membership-attribute*Attribute of group containing the DN of a user membership in the group.
It must be a valid name.
group-id-attribute*Attribute storing the group name.
The name must match the names used in the <admin-group>, <regular group> and <readonly group>
reader-username and reader-password*Credentials of a user with read access to the directory.
The password is kept in the Weka cluster configuration in plain text, as it is used to authenticate against the directory during user authentication.
cluster-admin-group*Name of group containing users defined with cluster admin role.
It must be a valid name.
org-admin-group*Name of group containing users defined with organization admin role.
It must be a valid name.
regular-group*Name of group containing users defined with regular privileges.
It must be a valid name.
readonly-group*Name of group containing users defined with read only privileges.
It must be a valid name.
server-timeout-secsServer connection timeout in seconds.
protocol-versionSelection of LDAP version.
Possible values: LDAP v2 or LDAP v3		LDAP v3
user-revocation-attributeThe LDAP attribute; when its value changes in the LDAP directory, user access and mount tokens are revoked.
The user must re-login after a change is detected.
start-tlsIssue StartTLS after connecting.
Possible values: yes or no
Do not use with ldaps://		no
ignore-start-tls-failureIgnore start TLS failure.
Possible values: yes or no		no
{% hint style="info" %} The `sAMAccountName` (user logon name) in the Cluster Admin, Organization Admin, Regular User, and Read-only User Role Groups can be up to 20 characters long. {% endhint %} ### View a configured LDAP User Directory **Command:**\ `weka user ldap` This command is used for viewing the current LDAP configuration used for authenticating users. ### Disable or enable a configured LDAP user directory **Command:**\ `weka user ldap disable`\ `weka user ldap enable` These commands are used for disabling or enabling user authentication through a configured LDAP user directory. {% hint style="info" %} You can only disable an LDAP configuration, but not delete it. {% endhint %}