User role management

Imports a root certificate (to be used in communication with the user's external authentication server) to a storage cluster.

PEM- and DER-format authentication files are supported. The root certificate is applied immediately if TLS communication with the server is enabled in the storage cluster settings for the external authentication server specified as "targetServer".

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] external_auth_server_root_certificate_import
--root_certificate <file>  (required)
--target_server <str>  (required)

• --root_certificate <root certificate file>

  Specify root certificate file (used in communication with the external authentication server) to be imported to the storage cluster.

• --target_server {primary1 | secondary1}

  Specify target external authentication server in user authentication.

• Normal termination

  job: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains a root certificate (to be used in communication with the user's external authentication server) which is imported to a storage cluster.

A root certificate is output as a DER file.

If this CLI is called when no root certificate is imported, an error is returned.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

If you have not imported the root certificate for the external authentication server, you may see message ID: KARS15553-E. If this is the case, import the root certificate of the external authentication server.

hsds [master command option] external_auth_server_root_certificate_download
--target_server <str>  (required)

• --target_server {primary1 | secondary1}

  Specify target external authentication server in user authentication.

• Normal termination

  Root certificate file corresponding to the server specified as --target_server.

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains the settings of the external authentication server.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] external_auth_server_setting_show

None

• Normal termination

  externalAuthServerSetting: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Edits the settings of the external authentication server.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] external_auth_server_setting_set
--is_enabled <boolean>  (optional)
--auth_protocol <str>  (optional)
--mapping_mode <str>  (optional)
--primary_ldap_server_url <str>  (optional)
--secondary_ldap_server_url <str>  (optional)
--is_start_tls_enabled <boolean>  (optional)
--base_dn <str>  (optional)
--bind_dn <str>  (optional)
--bind_dn_password <str>  (optional)
--user_id_attribute <str>  (optional)
--user_tree_dn <str>  (optional)
--user_object_class <str>  (optional)
--external_group_name_attribute <str>  (optional)
--user_group_tree_dn <str>  (optional)
--user_group_object_class <str>  (optional)
--timeout_seconds <int32>  (optional)
--retry_interval_milliseconds <int32>  (optional)
--max_retries <int32>  (optional)

• --is_enabled {true | false}

  Enables or disables external authentication.

• --auth_protocol LDAP

  Specify authentication protocol used for external authentication.

• --mapping_mode {User | Group}

  Specify unit of mapping to the LDAP server.

  • User: Mapping for each user. Grants permission to individual users in the LDAP server.

  • Group: Mapping for each user group. Grants permission to individual user groups in the LDAP server.

• --primary_ldap_server_url <URL>

  Specify URL (up to 267 characters) of the primary LDAP server.

  Specify it as "ldap(s)://{<IPv4-address> | <host-name>}:<port-number>". ":<port-number>/" can be omitted.

  Specify an empty string "" to initialize it.

  must match /^$|^ldaps?:\/\/((([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|([a-zA-Z0-9](|[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])\.)*([a-zA-Z0-9](|[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])))(:([1-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]))?/?$/

• --secondary_ldap_server_url <URL>

  Specify URL (up to 267 characters) of the secondary LDAP server.

  Specify it as "ldap(s)://{<IPv4-address> | <host-name>}:<port-number>". ":<port-number>/" can be omitted.

  Specify an empty string "" to initialize it.

  must match /^$|^ldaps?:\/\/((([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|([a-zA-Z0-9](|[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])\.)*([a-zA-Z0-9](|[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])))(:([1-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]))?/?$/

• --is_start_tls_enabled {true | false}

  Enables or disables StartTLS communication for LDAP authentication.

• --base_dn <base distinguished name>

  Specify Base Distinguished Name (up to 8,192 characters) used as the point from where a user or user group will be searched for LDAP authentication. Specify a distinguished name that includes all the users and user groups to be LDAP authenticated.

  Specify it following the RFC 4514 stipulations.

• --bind_dn <bind distinguished name>

  Specify Bind Distinguished Name (up to 8,192 characters) used for performing a search on a tree specified in base_dn.

  Specify it following the RFC 4514 stipulations.

• --bind_dn_password <password>

  Specify password (up to 8,192 characters) for Distinguished Name specified in bind_dn.

  Caution

  If --bind_dn_password is not specified, a prompt will appear. If specified, enter a password using standard input. Otherwise, press Enter without entering a value.

  bind_dn_password (if omitted, press the [Enter] key) []:

  The contents of the password specified by the option remain in the command history. Enter the password using standard input without the option.

• --user_id_attribute <attribute type>

  Specify LDAP Attribute Type (up to 8,192 characters) mapped as the user ID. Specify it following the RFC 4514 stipulations.

  For example, specify "sAMAccountName" when using the Windows logon ID when linked with an AD server.

  The following conditions must be met.

  • The value of the specified attribute is of the character type and it has the character length that can be used as userId.

  • It is unique in the search range of base_dn or user_tree_dn.

• --user_tree_dn <base distinguished name>

  Specify Base Distinguished Name (up to 8,192 characters) used as the point from where a user will be searched for LDAP authentication. Specify it following the RFC 4514 stipulations.

  Search with user_tree_dn has priority when it is specified at the same time as base_dn.

  The default of this item is an empty string. If the value is an empty string, a string of "OU=users," followed by base_dn is handled as user_tree_dn.

• --user_object_class <object class>

  Specify LDAP object class (up to 8,192 characters) to be mapped as a user. Only the LDAP entry which is the applicable object class is mapped.

• --external_group_name_attribute <attribute type>

  Specify LDAP Attribute Type (up to 8,192 characters) mapped as external_group_name in the user group.

  Specify it following the RFC 4514 stipulations.

  To enable a search as external_group_name, it must be unique in the search range of base_dn or user_group_tree_dn.

• --user_group_tree_dn <base distinguished name>

  Specify Base Distinguished Name (up to 8,192 characters) used as the point from where a user group will be searched for LDAP authentication. Specify it following the RFC 4514 stipulations.

  Search with user_group_tree_dn has priority when it is specified at the same time as base_dn.

  The default of this item is an empty string. If the value is an empty string, a string of "OU=userGroups," followed by base_dn is handled as user_group_tree_dn.

• --user_group_object_class <object class>

  Specify LDAP object class (up to 8,192 characters) to be mapped as a user group. Only the LDAP entry which is the applicable object class is mapped.

• --timeout_seconds <second>

  Specify timeout time (-1 to 65,535, in seconds) applied to the connection to the LDAP server. -1 means that a session never times out. The default is -1. It is recommended that you use the default value without changing it.

• --retry_interval_milliseconds <millisecond>

  Specify retry interval (1 to 3,000, in milliseconds) in communication with the LDAP server. The default is 100. It is recommended that you use the default value without changing it.

• --max_retries <count>

  Specify number (0 to 65,535) of retries in communication with the LDAP server. 0 means that no retry is performed. The default is 3. It is recommended that you use the default value without changing it.

• Normal termination

  externalAuthServerSetting: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Verifies the connection with the external authentication server. As the connection destination, use the external authentication server which is already set.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] external_auth_server_setting_verify_connectivity

None

• Normal termination

  externalAuthServerConnectionVerification: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains the user authentication settings.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] user_auth_setting_show

None

• Normal termination

  userAuthSetting: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Edits the user authentication settings.

This CLI can be executed only for a cluster master node (primary). If this CLI is executed for any node other than a cluster master node (primary), an error is returned.

hsds [master command option] user_auth_setting_set
--min_length <int32>  (optional)
--min_number_of_upper_case_chars <int32>  (optional)
--min_number_of_lower_case_chars <int32>  (optional)
--min_number_of_numerals <int32>  (optional)
--min_number_of_symbols <int32>  (optional)
--number_of_password_history <int32>  (optional)
--requires_initial_password_reset <boolean>  (optional)
--min_age_days <int32>  (optional)
--max_age_days <int32>  (optional)
--max_attempts <int32>  (optional)
--lockout_seconds <int32>  (optional)
--max_lifetime_seconds <int32>  (optional)
--max_idle_seconds <int32>  (optional)

• --min_length <length>

  Specify minimum password length (1 to 256 ).

  This setting is applied only to users whose authentication is local.

• --min_number_of_upper_case_chars <number>

  Specify minimum number (0 to 256) of uppercase alphabetical characters contained in a password.

  If you specify a value to make (sum of --min_number_of_upper_case_chars, --min_number_of_lower_case_chars, --min_number_of_numerals, and --min_number_of_symbols) greater than --min_length, an error is returned.

  This setting is applied only to users whose authentication is local.

• --min_number_of_lower_case_chars <number>

  Specify minimum number ( 0 to 256) of lowercase alphabetical characters contained in a password.

  If you specify a value to make (sum of --min_number_of_upper_case_chars, --min_number_of_lower_case_chars, --min_number_of_numerals, and --min_number_of_symbols) greater than --min_length, an error is returned.

  This setting is applied only to users whose authentication is local.

• --min_number_of_numerals <number>

  Specify minimum number (0 to 256) of numerals (0 to 9) contained in a password.

  If you specify a value to make (sum of --min_number_of_upper_case_chars, --min_number_of_lower_case_chars, --min_number_of_numerals, and --min_number_of_symbols) greater than --min_length, an error is returned.

  This setting is applied only to users whose authentication is local.

• --min_number_of_symbols <number>

  Specify minimum number ( 0 to 256) of symbols (excluding alphanumeric characters) contained in a password.

  If you specify a value to make (sum of --min_number_of_upper_case_chars, --min_number_of_lower_case_chars, --min_number_of_numerals, and --min_number_of_symbols) greater than --min_length, an error is returned.

  This setting is applied only to users whose authentication is local.

• --number_of_password_history <number>

  Specify number (1 to 10)of generations from generation 1 (when the password was changed) for which use of a previously used password is prohibited. 1 means that this limit is disabled (the user can set the same password as a past one).

  This setting is applied only to users whose authentication is local.

• --requires_initial_password_reset {true | false}

  Specify whether a new user is forced to change the default password before the initial login. If true, a new user is forced to change the default password before the initial login.

  This setting is applied only to users whose authentication is local.

• --min_age_days <number of days>

  Specify number of days(0 to 10) after which you can change the password again after you changed the password last. 0 means that the expiration time is disabled (the user can change the password immediately).

  This setting is applied only to users whose authentication is local.

  An error is returned if both --min_age_days and --max_age_days are not 0 and --min_age_days ≥ --max_age_days.

• --max_age_days <number of days>

  Specify number (0 to 365) of days during which you can use the password after you changed the password last. The password is invalid after this period has elapsed. 0 means that this limit is disabled (the user can use the password indefinitely).

  This setting is applied only to users whose authentication is local.

  An error is returned if both --min_age_days and --max_age_days are not 0 and --min_age_days ≥ --max_age_days.

• --max_attempts <number>

  Specify number (0 to 10) of consecutive login failures until the account is locked. 0 means that the function is disabled (the user can be unsuccessful an unlimited number of times).

  This setting is applied only to users whose authentication is local.

• --lockout_seconds <seconds>

  Specify duration ( 60 to 600, unit: seconds) after the account is locked due to consecutive login failures until the account is unlocked.

  This setting is applied only to users whose authentication is local.

• --max_lifetime_seconds <seconds>

  Specify token lifetime (1,800 to 604,800, unit: seconds). After authentication, authentication by the authentication token is enabled during this period.

• --max_idle_seconds <seconds>

  Specify time until the session times out (300 to 86,400, unit: seconds). The session is disabled if the REST API server is not accessed using the session during this specified time after the server is accessed using the session.

• Normal termination

  userAuthSetting: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains a list of user groups.

hsds [master command option] user_group_list
--vps_id <str>  (optional)

• --vps_id <VPS ID>

  The ID of the virtual private storage (VPS) that the acquisition-target resource belongs to.

  To filter out the resources that do not belong to the VPS, specify "system".

  To filter the resources by the VPS that the resources belong to, specify it in UUID format.

  must match /^system$|^[A-Fa-f0-9]{8}(-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}$/

• Normal termination

  Description A list of user group summary information. Properties data:object[] Items userGroupSummary: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Creates a user group.

hsds [master command option] user_group_create
--user_group_id <str>  (required)
--role_names <str[]>  (required)
--external_group_name <str>  (optional)
--vps_id <str>  (optional)
--scope <str[]>  (optional)

• --user_group_id <User group ID>

  Specify user group ID (1 to 64 characters) .

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• --role_names <role name>

  Specify role of the user group.

  For system administrators, specify one to six items. You can specify the "Security", "Storage", "Monitor", "Service", "Audit", or "Resource" role.

  For VPS administrators, specify one to three items. You can specify the "VpsSecurity", "VpsStorage", or "VpsMonitor role.

  At least one role must be specified. If no role was specified, an error is returned.

• --external_group_name <external group name>

  Specify name (1 to 4096 characters) of the group registered with an external authorization server when the external authorization server is linked.

  When assigning a role to a group in an external authorization server, specify a group name in the external authorization server for this attribute. If omitted, this user group is not linked to the external authorization server.

• --vps_id <VPS ID>

  The ID of the operation-target virtual private storage (VPS).

  To specify a resource that does not belong to the VPS, set "system" for this property.

  If this property is omitted, the VPS that the user who runs the CLI belongs to is assumed to be the operation target. If the user who runs the CLI is a system administrator, it will be "system".

  must match /^system$|^[A-Fa-f0-9]{8}(-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}$/

• --scope <VPS IDs>

  An array of the IDs (1 to 65 items) of virtual private storages (VPSs) that the user group can access.

  This item can be omitted. If this property is omitted, a single-element array consisting of only the ID of the VPS that the user who runs the CLI belongs to is automatically set. If the user who runs the CLI is a system administrator, "system" is set.

  Because a system administrator can access multiple VPSs, if this parameter has the "system" element, multiple IDs of VPSs can be specified. A VPS administrator, who can access only one VPS, can specify only one ID.

  The ID of the VPS specified with --vps_id cannot be omitted. If it is not included, an error is returned.

  If the --vps_id property is omitted and its setting is automatically specified, the ID of the VPS that the user who runs the CLI belongs to must be included. If it is not included, an error is returned.

  In the case of a system administrator group where the ID of the VPS that the user group belongs to is "system", any VPSs can be specified. In the case of a VPS administrator group where the ID of the VPS that the user group belongs to is not "system", only one array element can be specified. If two or more elements are specified, an error is returned.

  must match /^system$|^[A-Fa-f0-9]{8}(-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}$/

• Normal termination

  userGroup: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Deletes a user group.

hsds [master command option] user_group_delete 
--user_group_id <str>  (required)

• --user_group_id <user group ID>

  Specify user group ID (1 to 64 characters).

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• Normal termination

  None

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains the user group information.

hsds [master command option] user_group_show
--user_group_id <str>  (required)

• --user_group_id <user group ID>

  Specify user group ID (1 to 64 characters).

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• Normal termination

  userGroup: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Edits the user group information.

hsds [master command option] user_group_set
--user_group_id <str> (required)
--role_names <str[]> (optional)
--scope <str[]> (optional)

• --user_group_id <user group ID>

  Specify user group ID (1 to 64 characters).

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• --role_names <role name>

  Specify role of the user group.

  For system administrators, specify one to six items. You can specify the "Security", "Storage", "Monitor", "Service", "Audit", or "Resource" role.

  For VPS administrators, specify one to three items. You can specify the "VpsSecurity", "VpsStorage", or "VpsMonitor role.

  At least one role must be specified. If no role is specified, an error is returned.

• --scope <VPS IDs>

  An array of the IDs (1 to 65 items) of virtual private storages (VPSs) that the user group can access.

  Because a system administrator can access multiple VPSs, if this parameter has the "system" element, multiple IDs of VPSs can be specified. A VPS administrator, who can access only one VPS, can specify only one ID.

  The ID of the VPS that the user group belongs to cannot be omitted. If it is not included, an error is returned.

  In the case of a system administrator group (if the ID of the VPS that the user group belongs to is "system"), any VPSs can be specified. In the case of a VPS administrator group (if the ID of the VPS that the user group belongs to is not "system"), only one array element can be specified. If two or more elements are specified, an error returned.

  must match /^system$|^[A-Fa-f0-9]{8}(-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}$/

• Normal termination

  userGroup: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains a list of users.

If external authentication is enabled and "mappingMode" is set to "Group", the users on the external authentication server are not included in the output list and only the users whose "authentication" is "local" are included in the output list.

hsds [master command option] user_list
--vps_id <str>  (optional)

• --vps_id <VPS ID>

  The ID of the virtual private storage (VPS) that the acquisition-target resource belongs to.

  To filter out the resources that do not belong to the VPS, specify "system".

  To filter the resources by the VPS that the resources belong to, specify it in UUID format.

  must match /^system$|^[A-Fa-f0-9]{8}(-[A-Fa-f0-9]{4}){3}-[A-Fa-f0-9]{12}$/

• Normal termination

  Description A list of user information. Properties data:object[] Items user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Creates a user.

hsds [master command option] user_create
--user_id <str>  (required)
--password <str>  (optional)
--user_group_ids <str[]>  (required)
--authentication <str>  (optional)
--is_enabled_console_login <boolean>  (optional)

• --user_id <user ID>

  Specify user ID (6 to 255 characters).

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{6,255}$/

  If --is_enabled_console_login is set to true, the user ID must be 6 to 28 characters and match the following:

  /^[A-Za-z_][-A-Za-z0-9._]{5,27}$/

• --password <password>

  Specify user password (1 to 256 characters). The specifiable values can be restricted by policy. The regular expressions described here show the case where the input restrictions by policy are the least strict.

  Either of the following conditions must be met in combination with --authentication:

  • Nothing is specified for --authentication, or local is specified for --authentication and --password is specified.

  • external is specified for --authentication, and --password is not specified.

  An error is returned when none of the conditions is satisfied.

  must match /^[\-A-Za-z0-9!#\$%&"'\(\)\*\+,\.\/:;<>=\?@\[\]\\\^_`\{\}\|~]{1,256}$/

  Caution

  • If --password is not specified, a prompt will appear. If specified, enter a password using standard input. Otherwise, press Enter without entering a value.

    password (if omitted, press the [Enter] key) []:

    The contents of the password specified by the option remain in the command history. Enter the password using standard input without the option.

  • Note the following when specifying a location name containing "\". To avoid the inconvenience of escaping, set a value that does not include "\".

    • The CLI program interprets "\t", "\r", and "\n" in the specified string as tab and line feed codes.

    • If you type "\\", the CLI program will interpret it as one escape character "\".

    • To enter the strings "\t", "\r", and "\n", enter "\\t", "\\r", and "\\n", respectively.

• --user_group_ids <user group IDs

  Specify a list of user group IDs (1 to 8 items, 1 to 64 characters) to which the user belongs.

  The user will be created on the virtual private storages (VPSs) that the specified user groups belong to.

  In the following cases, an error is returned:

  • The IDs of all the VPSs that the specified user groups belong to are not the same.

  • Access permission for the VPSs that the specified user group belongs to are not assigned.

  • The maximum allowable number of users on the VPSs that the specified user group belongs to is exceeded.

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• --authentication {local | external}

  Specify authentication type.

  • local (default): Authenticated locally.

  • external: Authenticated by the external authentication server.

• --is_enabled_console_login {true | false}

  (Virtual machine) This option will be ignored if specified.

  (Bare metal) Specify whether the use of console interface is permitted.

  • true: The console interface can be used.

  • false: The console interface cannot be used.

  If this option is set to true when the specified user group belongs to a virtual private storage (VPS) is other than "system", an error is returned.

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Deletes a user.

If you do not have access permission for the virtual private storage (VPS) that the specified user belongs to, an error is returned.

hsds [master command option] user_delete
--user_id <str>  (required)

• --user_id <user ID>

  Specify user ID (5 to 255 characters).

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• Normal termination

  None

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Obtains the user information.

If you have the Security or VpsSecurity role, in this CLI, you can specify the user ID of any user in your accessible range. If you do not have the Security or VpsSecurity role, you can specify only your own user ID. If you specify a user ID other than your own, an error is returned regardless of whether the specified user ID exists.

If you specify, for --user_id, a user name on the external authentication server in the CLI when external authentication is enabled and "mappingMode" is set to "Group", an error is returned.

If "self" is specified for --user_id, information about the user who was authenticated when this CLI was issued is returned.

hsds [master command option] user_show
--user_id <str>  (required)

• --user_id <user ID>

  Specify user ID (up to 255 characters).

  must match /^self$|^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Edits the user information.

When the password is changed for the CLI, if requiresInitialPasswordReset of the user authentication setting is true, the password of the user expires.

The expired password can be recovered by using the password changing API(PATCH /v1/objects/users/<userId>/password) or CLI(user_password_set) of the local user.

If you do not have access permission for the virtual private storage (VPS) that the specified user belongs to, an error is returned.

hsds [master command option] user_set
--user_id <str>  (required)
--password <str>  (required *1)
--is_enabled <boolean>  (required *1)

• --user_id <user ID>

  Specify user ID (5 to 255 characters).

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• --password <new password>

  Specify new password (1 to 256 characters).

  The specifiable values can be restricted by policy. The regular expressions described here show the case where the input restrictions by policy are the least strict.

  Either --password or --is_enabled must be specified. If neither of them is specified, an error is returned.

  must match /^[\-A-Za-z0-9!#\$%&"'\(\)\*\+,\.\/:;<>=\?@\[\]\\\^_`\{\}\|~]{1,256}$/

  Caution

  • If --password is not specified, a prompt will appear. If specified, enter a password using standard input. Otherwise, press Enter without entering a value.

    password (if omitted, press the [Enter] key) []:

    The contents of the password specified by the option remain in the command history. Enter the password using standard input without the option.

  • Note the following when specifying a location name containing "\". To avoid the inconvenience of escaping, set a value that does not include "\".

    • The CLI program interprets "\t", "\r", and "\n" in the specified string as tab and line feed codes.

    • If you type "\\", the CLI program will interpret it as one escape character "\".

    • To enter the strings "\t", "\r", and "\n", enter "\\t", "\\r", and "\\n", respectively.

• --is_enabled {true | false}

  Enables or disables the user.

  Either --password or --is_enabled must be specified. If neither of them is specified, an error is returned.

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Adds a user to a user group.

If you do not have access permission for the virtual private storage (VPS) that the specified user belongs to, an error is returned.

hsds [master command option] user_add_user_group
--user_id <str> (required)
--user_group_ids <str[]> (required)

• --user_id <user ID>

  Specify user ID (5 to 255 characters).

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• --user_group_ids <user group IDs>

  Specify a list of user group IDs (1 to 8 items, 1 to 64 characters) to which a user is to be added.

  If you specify a user group whose "externalGroupName" is not a null value, an error is returned.

  If the IDs of all virtual private storages (VPSs) that the specified user group belongs to and the IDs of all VPSs that the target user belongs to do not match, an error is returned.

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Deletes a user from a user group.

If you do not have access permission for the virtual private storage (VPS) that the specified user belongs to, an error is returned.

hsds [master command option] user_delete_user_group
--user_id <str>  (required)
--user_group_ids <str[]>  (required)

• --user_id <user ID>

  Specify user ID.

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• --user_group_ids <user group IDs>

  Specify list of user group IDs (1 to 8 items, 1 to 64 characters) from which a user is to be deleted.

  must match /^[a-zA-Z0-9!#\$%&'\-\.@\^_`\{\}~]{1,64}$/

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object

• basic authentication

• session authentication

Changes the password of the local user.

You can execute this CLI only for a user whose "authentication" is set to "local". If you execute the CLI for a user whose "authentication" is set to "external", an error is returned.

For security reasons, an error is returned even if an invalid password is specified as the current password or a non-existent user is specified as --user_id.

hsds [master command option] user_password_set
--user_id <str> (required)
--current_password <str> (optional)
--new_password <str> (optional)

• --user_id <user ID>

  Specify user ID (5 to 255 characters).

  must match /^[\-A-Za-z0-9!#\$%&'\.@\^_`\{\}~]{5,255}$/

• --current_password <current password>

  Specify current password (1 to 256 characters).

  must match /^[\-A-Za-z0-9!#\$%&"'\(\)\*\+,\.\/:;<>=\?@\[\]\\\^_`\{\}\|~]{1,256}$/

  Caution

  • When --current_password is not specified, a prompt is displayed. In this case, enter a password via standard input.

    current_password:

    The contents of a password specified by the option remain in the command history. Enter the password using standard input without the option.

  • Note the following when specifying a location name containing "\". To avoid the inconvenience of escaping, set a value that does not include "\".

    • The CLI program interprets "\t", "\r", and "\n" in the specified string as tab and line feed codes.

    • If you type "\\", the CLI program will interpret it as one escape character "\".

    • To enter the strings "\t", "\r", and "\n", enter "\\t", "\\r", and "\\n", respectively.

• --new_password <new password>

  Specify new password (1 to 256 characters).

  The specifiable values can be restricted by policy. The regular expressions described here show the case where the input restrictions by policy are the least strict.

  must match /^[\-A-Za-z0-9!#\$%&"'\(\)\*\+,\.\/:;<>=\?@\[\]\\\^_`\{\}\|~]{1,256}$/

  Caution

  • When --new_password is not specified, a prompt is displayed. In this case, enter a password via standard input.

    new_password:

    The contents of a password specified by the option remain in the command history. Enter the password using standard input without the option.

  • Note the following when specifying a location name containing "\". To avoid the inconvenience of escaping, set a value that does not include "\".

    • The CLI program interprets "\t", "\r", and "\n" in the specified string as tab and line feed codes.

    • If you type "\\", the CLI program will interpret it as one escape character "\".

    • To enter the strings "\t", "\r", and "\n", enter "\\t", "\\r", and "\\n", respectively.

• Normal termination

  user: object

• Abnormal termination

  errorResponse: object