Articles in this section

user query

Sara Levy
  • Updated
Follow

This command queries providers and the user database for a user entry. A provider query can be aggregated across providers to yield a merged result or it can be provider-specific. See Querying Users for more information.

You can also use this command to:

  • Attach or remove identity policies to users, and

  • Grant or remove create bucket, delete bucket and super user permissions for users on external providers.

Note

Permission allowed or denied by identity policies to create or delete buckets overrides explicit create bucket and delete bucket permission settings.

Note

If you wish to grant or remove the explicit create bucket, delete bucket and super user permissions for users on the local provider, you can do this using the user modify command.

Usage for Retrieving a User Entry

user query {--uid UID | --username USERNAME | --sid SID}
           [--context local|udb|ad|ldap|nis|aggregated]

Usage for Setting S3 Permissions

user query {--uid UID | --username USERNAME | --sid SID}
           [--allow-create-bucket]
           [--disallow-create-bucket]
           [--allow-delete-bucket]
           [--disallow-delete-bucket]
           [--s3-superuser]
           [--not-s3-superuser]
           [--s3-policies-ids [S3_POLICIES_IDS]]

Required Parameters

--uid UID

--username USERNAME

--sid SID

Include one of these options to specify which user attribute to query by and a specific value to search for.

Options

--context local|udb|ad|ldap|nis|aggregated

Specify one of the following contexts:

  • local. Restricts the search to local provider users.

  • udb. Searches the UDB for the user. The output in this case includes the VID (VAST ID) for the user, which can be used when specifying a grantee in S3 ACLs.

  • aggregated (default). Searches all providers and returns a merged user entry. In case of conflicts between providers, attributes are resolved according to the following rules:

    • In case of conflict between local and non local providers, the local provider's attributes override those of the other providers.

    • In case of conflicting POSIX attributes on external providers, the POSIX primary provider overrules the other external provider.

    • Users are merged if their match user attributes match. The match user attribute is configurable in that you can set which attribute on the POSIX primary provider is used to match the users.

    • All groups found for the user on all providers with distinct group names are treated as distinct groups to which the user belongs. Groups are merged if they match according to a non-configurable group name attribute.

  • ad, nis or ldap. Searches the specific provider only. (Each of these options appears only if a provider of that type is connected to the cluster.)

--allow-create-bucket

Grants the user permission to create buckets when connecting to the cluster via S3.

--allow-delete-bucket

Grants the user permission to delete buckets when connecting to the cluster via S3.

--disallow-delete-bucket

Removes permission to delete S3 buckets.

--s3-superuser

Grants the user S3 super user permission, which enables the user to override S3 ACLs.

--not-s3-superuser

Removes S3 super user permission from the user.

--s3-policies-ids [S3_POLICIES_IDS]

Attaches one or more S3 user policies to the user. Specify S3_POLICIES_IDS as a comma separated list of S3policy IDs. Each time you run the command with this option, the list overrides the entire previous list of S3 policies that were attached to the user. To remove a policy from a user, specify a list that does not include the policy you wish to remove. To remove all policies from the user, do not specify a list of IDs.

Example

vcli: admin> user query --context local --uid 207
+---------------------+-----------------------------------------------------+
| uid                 | 207                                                 |
| sid                 | S-1-111-3337806353-1029045180-680611247-152823600-1 |
| leading_group       | {'gid': '', 'sid': '', 'name': ''}                  |
| leading_group_name  |                                                     |
| leading_group_gid   |                                                     |
| primary_group_name  |                                                     |
| primary_group_sid   |                                                     |
| name                | User1                                               |
| login_name          | User1                                               |
| groups              | []                                                  |
| group_count         | 0                                                   |
| allow_create_bucket | False                                               |
| allow_delete_bucket | False                                               |
| s3_superuser        | False                                               |
| s3_policies         | ['AllowEverything']                                 |
| s3_policies_ids     | [1]                                                 |
| s3_remote_policies  | []                                                  |
| access_keys         | []                                                  |
+---------------------+-----------------------------------------------------+

Related articles

Comments

0 comments

Article is closed for comments.