User management
The management of users licensed to work with the Content Software for File system is described.
Types of users
Access to a Content Software for File system cluster is controlled by creating, modifying and deleting users. Up to 128 local users can be defined to work with a system cluster. Each user is identified by a username and must provide a password for authentication to work with the Content Software for File system GUI or CLI.
Every Content Software for File system user has one of the following defined roles:
- Cluster Admin: A user with additional privileges, as described in Cluster admin role privileges.
- Organization Admin: A user with additional privileges within an organization (when working with different organizations, as described in Organization admin role privileges).
- Read-only: A user with read-only privileges.
- Regular: A user that is only used for mounting filesystems. This user can sign in to obtain an access token and change the password but cannot access the GUI or run other CLI/API commands.
Cluster Admin (the first user)
By default, when a Content Software for File cluster is created, a first user with an admin username and password is created. This user has a Cluster Admin role, which allows running all commands.
Cluster Admin users are responsible for managing the cluster as a whole. When using multiple organizations, there is a difference between managing a single organization and managing the cluster because managing the cluster also covers the management of the cluster hardware and resources. These are the additional permissions given to a Cluster Admin compared to an Organization Admin.
A Content Software for File system cluster must have at least one defined internal Cluster Admin user. However, it is possible to create a Cluster Admin user with a different name and delete the default admin user, if required.
Cluster admin role privileges
Cluster Admin users have additional privileges over regular users. These include the ability to:
- Create new users.
- Delete existing users.
- Change user passwords.
- Set user roles.
- Manage LDAP configurations.
- Manage organizations.
Additionally, the following restrictions are implemented for Cluster Admin users, to avoid situations where a Cluster Admin loses access to a Content Software for File system cluster:
- Cluster Admins cannot delete themselves.
- Cluster Admins cannot change their role to a regular user role.
Managing users using the GUI
Using the GUI, you can:
- Manage local user
- Manage the user directory
Manage local users
Local users are created in the local system as opposed to domain users that are managed by the organization's User Directory. You can create up to 1152 local users to work with a Content Software for File system cluster.
Creating a local user
From the menu, select Configure > User Management.
In the Local Users tab, select +Create.
In the Create New User dialog, set the following properties:
- Username: Set the user name for the local user.
- Password: Set a password according to the requirements. The password must contain at least 8 characters, an uppercase letter, a lowercase letter, and a number or a special character.
- Confirm Password: Type the same password again.
- Role: Select the role for the local user.
Select Save.
Editing a local user
You can modify the role of a local user, but not the role of an S3 user or your own role (the signed-in user).
Procedure
In the Local Users tab, select the three dots of the local user you want to edit, then select Edit User.
From the Role property, select the required role.
Select Save.
Changing a local user password
As a Cluster Admin or Organization Admin, you can change the password of a local user and revoke the user's tokens.
Procedure
In the Local Users tab, select the three dots of the local user you want to change the password for, then select Change Password.
In the Change Password for a user dialog, set the following properties:
- Old password: Set the old password.
- Password: Set a new password according to the requirements.
- Confirm Password: Type the same new password again.
- Revoke Tokens: If the user's existing tokens are compromised, you can revoke all the user's tokens along with changing the user's password. To re-access the system, the user re-authenticates with the new password, or the user needs to obtain new tokens using the API.
Select Save.
Changing your own password
You can change your own password at any time.
Procedure
From the top bar, select the signed-in user, then select Change Password.
In the Change Password dialog set the properties as described in the Changing a local user password topic,
Select Save.
Revoking local user tokens
If the user's existing tokens are compromised, you can revoke all the user's tokens, regardless of changing the user's password. To re-access the system, the user re-authenticates with the new password, or the user needs to obtain new tokens using the API.
Procedure
In the Local Users tab, select the three dots of the local user you want to revoke the user tokens, then select Revoke User Tokens.
In the confirmation message, select Revoke Tokens.
Remove a local user
You can remove a local user that is no longer required.
Procedure
In the Local Users tab, select the three dots of the local user to remove, then select Remove User.
In the confirmation message, select Yes.
Managing user directory
You can set user access to the Content Software for File system from the organization user directory, either by LDAP directory or Active Directory.
Configuring LDAP
To use LDAP directory for authenticating users, you need to configure the corresponding values in the LDAP Configuration dialog.
Procedure
From the menu, select Configure > User Management.
Select the User Directory tab.
Select Configure LDAP.
Set all properties according to the organization's LDAP details.
Select Save.
Once the LDAP configuration completes, the User Directory tab displays the details. You can disable the LDAP configuration, update the configuration, or reset the configuration values.
Configuring Active Directory
To use Active Directory for authenticating users, you configure the corresponding values in the Active Directory Configuration dialog.
Procedure
From the menu, select Configure > User Management.
Select the User Directory tab.
Select Configure Active Directory.
Set all properties according to the organization's Active Directory details.
Select Save.
Once the Active Directory configuration completes, the User Directory tab displays the details. You can disable the Active Directory configuration, update the configuration, or reset the configuration values.
Managing users using the CLI
How to manage users using the CLI
Creating users
Use the following command line to create a user:
weka user add <username> <role> [password]
$ weka user add my_new_user S3cret regular
This command line creates a user with a username of my_new_user
, a password of S3cret
and a role of Regular
user. It is then possible to display a list of users and verify that the user was created:
$ weka user Username | Source | Role ------------+----------+-------- my_new_user | Internal | Regular admin | Internal | Admin
Using the weka user whoami command, it is possible to receive information about the current user running the command.
To use the new user credentials, use the WEKA_USERNAME and WEKA_PASSWORD environment variables:
Username | Source | Role ------------+----------+-------- my_new_user | Internal | Regular
To view the parameters for the weka user add command, see the Content Software for File Command Line Reference Guide.
Changing user password
Use the following command line to change a local user password:
weka user passwd <password> [--username username]
To view the weka user passwd parameters, see the Content Software for File Command Line Reference Guide.
Deleting users
Command: weka user delete
To delete a user, use the following command line:
weka user delete <username>
$ weka user add my_new_user
Then run the weka user command to verify that the user was deleted:
$ weka user Username | Source | Role ---------+----------+------ admin | Internal | Admin
To view the parameters for the weka user delete command, see the Content Software for File Command Line Reference Guide.
User log in
When a login is attempted, the user is first searched in the list of internal users, that is, users created using the weka user add command.
However, if a user does not exist in the Content Software for File system but does exist in an LDAP directory, it is possible to configure the LDAP user directory to the Content Software for File system. This will enable a search for the user in the directory, followed by password verification.
- On each successful login, a UserLoggedIn event is issued, containing the username, role and whether the user is an internal or LDAP user.
- When a login fails, an Invalid username or password message is displayed and a UserLoginFailed event is issued, containing the username and the reason for the login failure.
When users open the GUI, they are prompted to provide their username and password. To pass username and password to the CLI, use the WEKA_USERNAME and WEKA_PASSWORD environment variables.
Alternatively, it is possible to log into the CLI as a specific user using the weka user login <username> <password> command. This will run each CLI command from that user. When a user logs in, a token file is created to be used for authentication (default to ~/.weka/auth-token.json
, which can be changed using the --path attribute). To see the logged-in CLI user, run the weka user whoami command.
To use a non-default path for the token file, use the WEKA_TOKEN environment variable.
For additional details on first user log in, see Cluster Admin (the first user).