Manage users using the CLI

Explore the management of users licensed to work with the WEKA system using the CLI.

User login process overview

In the WEKA user login process (sign-in), the following steps outline the authentication and user management:

  • Local user login: When users log in, the system initially searches for them within the list of local users (internal users), specifically those created using the weka user add command.

  • LDAP integration: in cases where a user isn't internally registered but exists in an LDAP directory, there's an option to integrate the LDAP user directory with the WEKA system. This integration allows the system to search for the user in the directory and perform password verification.

  • Login events: Successful logins trigger a UserLoggedIn event, which provides essential details such as the username, role, and user type (internal or LDAP). On the other hand, unsuccessful logins prompt an "Invalid username or password" message and trigger a UserLoginFailedevent, which contains the username and the reason for the failure.

  • GUI login: The GUI login process requires users to input their username and password. Users can leverage the WEKA_USERNAME and WEKA_PASSWORD environment variables to pass this information to the CLI.

  • CLI login: Users can log in with a specific identity using the weka user login <username> <password> command for CLI access. This establishes the user context for each subsequent CLI command. Upon logging in, a token file is generated for authentication, with the default path set to ~/.weka/auth-token.json (adjustable using the --path attribute). You can use the weka user whoami command to check the CLI user who is currently logged in.

  • Persistence and defaults: The weka user login command's persistence applies only to the server where it is set. If the WEKA_USERNAME and WEKA_PASSWORD environment variables are unspecified, the CLI defaults to the token file. In cases where no CLI user is explicitly logged in, and no token file is present, the CLI resorts to the default 'admin/admin' credentials.

  • Custom token file path: Users who prefer a non-default path for the token file can use the WEKA_TOKEN environment variable.

To perform various operations through the CLI, you can:

Create a local user

Command: weka user add

Use the following command line to create a local user:

weka user add <username> <role> [password] [--posix-uid uid] [--posix-gid gid]

Parameters

NameValueDefault

username*

Name for the new user

role

Role of the new created user. Possible values: regular, s3,readonly, orgadmin or clusteradmin

password

New user password. If not supplied, the command prompts to supply the password.

posix-uid

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

0

posix-gid

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

0

Example:

$ weka user add my_new_user regular S3cret

This command line creates a user with a username of my_new_user, a password of S3cret and a role of a Regular user. It is then possible to display a list of users and verify that the user was created:

$ weka user
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular
admin       | Internal | Admin

Using the weka user whoami command, it is possible to receive information about the current user running the command.

To use the new user credentials, use theWEKA_USERNAME and WEKA_PASSWORDenvironment variables:

$ WEKA_USERNAME=my_new_user WEKA_PASSWORD=S3cret weka user whoami
Username    | Source   | Role
------------+----------+--------
my_new_user | Internal | Regular

Log-in to the WEKA cluster

Command: weka user login

Use the following command to log a user into the WEKA cluster. If login is successful, the user credentials are saved to the user's home directory.

weka user login [username] [password] [--org org] [--path path]

Parameters

ParameterDescription

username*

User's username

password*

User's password

org

Organization name or ID

path

The path where the login token will be saved (default: ~/.weka/auth-token.json). This path can also be specified using the WEKA_TOKEN environment variable.

After logging-in, use the WEKA_TOKEN environment variable to specify where the login token is located.

Manage authentication tokens in WEKA

The --path parameter is used to control the directory and file where the authentication token is written. The specified path, which includes the filename, can then be assigned to the WEKA_TOKEN environment variable.

Example 1: Using the --path parameter

The following example demonstrates how to log in and specify the path for the authentication token. After logging in, the path is set to the WEKA_TOKEN environment variable.

weka user login user1 password1 --path /home/user1/.weka/user1-token.json
export WEKA_TOKEN=/home/user1/.weka/user1-token.json

Example 2: Using the WEKA_TOKEN environment variable

Alternatively, you can set the WEKA_TOKEN environment variable first, which removes the need to use the --path parameter during the login process.

export WEKA_TOKEN=/home/user1/.weka/user1-token.json
weka user login user1 password1

Related topic

Obtain authentication tokens

Change a local user password

Command: weka user passwd

Use the following command to change a local user password:

weka user passwd <password> [--username username]

Parameters

NameValueDefault

password*

New password

username

Name of the user to change the password for. It must be a valid local user.

The current logged-in user

If necessary, provide or setWEKA_USERNAME or WEKA_PASSWORD.

Revoke user access

Command: weka user revoke-tokens

Use the following command to revoke internal user access to the system and mounting filesystems:

weka user revoke-tokens <username>

You can revoke the access for LDAP users by changing the user-revocation-attribute defined in the LDAP server configuration.

Parameters

NameValue

username*

A valid user in the organization of the Organization Admin running the command.

NFS and SMB are different protocols from WekaFS, which require additional security considerations when used. For example, The system grants NFS permissions per server. Therefore, manage the permissions for accessing these servers for NFS export carefully.

Update a local user

Command: weka user update

Use the following command line to update a local user:

weka user update <username> [--role role] [--posix-uid uid] [--posix-gid gid]

Parameters

NameValue

username*

Name of an existing user. It must be a valid local user.

role

Updated user role. Possible values: regular, s3,readonly, orgadmin or clusteradmin

posix-uid

POSIX UID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

posix-gid

POSIX GID of underlying files representing objects created by this S3 user access/keys credentials. For S3 user roles only.

Delete a local user

Command: weka user delete

To delete a user, use the following command line:

weka user delete <username>

Parameters

NameValue

username*

Name of the user to delete. It must be a valid local user.

Example:

$ weka user add my_new_user

Then run theweka user command to verify that the user was deleted:

$ weka user
Username | Source   | Role
---------+----------+------
admin    | Internal | Admin

Authenticate users from an LDAP user directory

To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows.

Configure an LDAP user directory

Command: weka user ldap setup weka user ldap setup-ad

One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server.

To configure an LDAP server, use the following command line:

weka user ldap setup <server-uri> <base-dn> <user-object-class> <user-id-attribute> <group-object-class> <group-membership-attribute> <group-id-attribute> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]

To configure an Active Directory server, use the following command line:

weka user ldap setup-ad <server-uri> <domain> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]

Parameters

NameValueDefault

server-uri*

Either the LDAP server hostname/IP or a URI. Format: ldap://hostname:port or ldaps://hostname:port

base-dn*

Base DN under which users are stored. It must be a valid name.

user-id-attribute*

Attribute storing user IDs. It must be a valid name.

user-object-class*

Object class of users. It must be a valid name.

group-object-class*

Object class of groups. It must be a valid name.

group-membership-attribute*

Attribute of group containing the DN of a user membership in the group. It must be a valid name.

group-id-attribute*

Attribute storing the group name. The name must match the names used in the <admin-group>, <regular group> and <readonly group>

reader-username and reader-password*

Credentials of a user with read access to the directory. The password is kept in the Weka cluster configuration in plain text, as it is used to authenticate against the directory during user authentication.

cluster-admin-group*

Name of group containing users defined with cluster admin role. It must be a valid name.

org-admin-group*

Name of group containing users defined with organization admin role. It must be a valid name.

regular-group*

Name of group containing users defined with regular privileges. It must be a valid name.

readonly-group*

Name of group containing users defined with read only privileges. It must be a valid name.

server-timeout-secs

Server connection timeout in seconds.

protocol-version

Selection of LDAP version. Possible values: LDAP v2 or LDAP v3

LDAP v3

user-revocation-attribute

The LDAP attribute; when its value changes in the LDAP directory, user access and mount tokens are revoked. UThe user must re-login after a change is detected.

start-tls

Issue StartTLS after connecting. Possible values: yes or no Do not use with ldaps://

no

ignore-start-tls-failure

Ignore start TLS failure. Possible values: yes or no

no

View a configured LDAP User Directory

Command: weka user ldap

This command is used for viewing the current LDAP configuration used for authenticating users.

Disable or enable a configured LDAP user directory

Command: weka user ldap disable weka user ldap enable

These commands are used for disabling or enabling user authentication through a configured LDAP user directory.

You can only disable an LDAP configuration, but not delete it.

Last updated