Manage users using the CLI
This page describes the management of users licensed to work with the Weka system.
Using the CLI, you can:
weka user add
Use the following command line to create a local user:
weka user add <username> <role> [password] [--posix-uid uid] [--posix-gid gid]
weka user whoamicommand, it is possible to receive information about the current user running the command.
To use the new user credentials, use the
$ WEKA_USERNAME=my_new_user WEKA_PASSWORD=S3cret weka user whoami
Username | Source | Role
my_new_user | Internal | Regular
weka user passwd
Use the following command line to change a local user password:
weka user passwd <password> [--username username]
weka user revoke-tokens
Use the following command to revoke internal user access to the system and mounting filesystems:
weka user revoke-tokens <username>
You can revoke the access for LDAP users by changing the
user-revocation-attributedefined in the LDAP server configuration.
weka user update
Use the following command line to update a local user:
weka user update <username> [--role role] [--posix-uid uid] [--posix-gid gid]
weka user delete
To delete a user, use the following command line:
weka user delete <username>
When a login is attempted, the user is first searched in the list of internal users, i.e., users created using the
weka user addcommand.
However, if a user does not exist in the Weka system but does exist in an LDAP directory, it is possible to configure the LDAP user directory to the Weka system. This will enable a search for the user in the directory, followed by password verification.
On each successful login, a
UserLoggedInevent is issued, containing the username, role and whether the user is an internal or LDAP user.
When a login fails, an "Invalid username or password" message is displayed and a
UserLoginFailedevent is issued, containing the username and the reason for the login failure.
When users open the GUI, they are prompted to provide their username and password. To pass username and password to the CLI, use the
Alternatively, it is possible to log into the CLI as a specific user using the
weka user login <username> <password>command. This will run each CLI command from that user. When a user logs in, a token file is created to be used for authentication (default to
~/.weka/auth-token.json, which can be changed using the
--pathattribute). To see the logged-in CLI user, run the
weka user whoamicommand.
To authenticate users from an LDAP user directory, the LDAP directory must first be configured to the Weka system. This is performed as follows.
weka user ldap setup weka user ldap setup-ad
One of two CLI commands is used to configure an LDAP user directory for user authentication. The first is for configuring a general LDAP server and the second is for configuring an Active Directory server.
To configure an LDAP server, use the following command line:
weka user ldap setup <server-uri> <base-dn> <user-object-class> <user-id-attribute> <group-object-class> <group-membership-attribute> <group-id-attribute> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--protocol-version protocol-version] [--user-revocation-attribute user-revocation-attribute]
To configure an Active Directory server, use the following command line:
weka user ldap setup-ad <server-uri> <domain> <reader-username> <reader-password> <cluster-admin-group> <org-admin-group> <regular-group> <readonly-group> [--start-tls start-tls] [--ignore-start-tls-failure ignore-start-tls-failure] [--server-timeout-secs server-timeout-secs] [--user-revocation-attribute user-revocation-attribute]
weka user ldap
This command is used for viewing the current LDAP configuration used for authenticating users.
weka user ldap disable weka user ldap enable
These commands are used for disabling or enabling user authentication through a configured LDAP user directory.