-
Notifications
You must be signed in to change notification settings - Fork 19
ESGF_GroupMgmt
| Wiki Reorganisation |
|---|
| This page has been classified for reorganisation. It has been given the category REVISE. |
| This page contains useful content but needs revision. It may contain out of date or inaccurate content. |
Log into the ESG node via command line so that we can create a new user using the ESGF Shell. You will need the node's administrator password. _ NOTE: This password is the ESGF adminstrator password, not the host machine's administrator password (i.e. not the 'Unix' password for root) _ .
Start the shell by running esgf-sh (or esg-node --shell ) and view a sample session as a quick reference:
[root@dev bin]# esgf-sh
Welcome, root to the ESGF Shell...
v0.0.1 - by Gavin M. Bell ([email protected])
find: /usr/local/tomcat/webapps/esgf-security/WEB-INF: No such file or directory
Loading ESGF Builtin Shell Commands .............
Loading ESGF Contrib Shell Commands .
root@dev:[esgf-sh]> su
password>
rootAdmin@dev:[esgf-sh]:[admin]>
You are now at a point where you can issue commands at the ESGF shell.
To find out some more information, you can issue the help command. You should see something that resembles the following:
rootAdmin@dev:[esgf-sh]:[admin]> help
passwd --- <no info>
rolemod --- <no info>
ls --- <no info>
test --- <no info>
set --- <no info>
roleadd --- <no info>
groupmod --- <no info>
show --- <no info>
associate --- <no info>
clear --- <no info>
userdel --- <no info>
usermod --- <no info>
groupdel --- <no info>
help --- prints this command list
unset --- <no info>
groupadd --- <no info>
roledel --- <no info>
useradd --- <no info>
? --- prints this command list
(more useful information will be presented from the above output in subsequent releases. What is more useful is the _ --help _ command for each of the presented commands above -gavin)
Once logged into the shell, you may need to add a user. In order to do this, we are interested in the _ useradd _ command. Given a new sample user of "John Smith" with a username of "johnsmith", we will create a new user.
rootAdmin@dev:[esgf-sh]:[admin]> useradd -fn John -ln Smith -e [email protected] johnsmith
user to create is: [johnsmith]
firstname: [John]
lastname: [Smith]
email: [[email protected]]
Is this information correct and ready to be submitted? [Y/n] > Y
WARN [main] (DatabaseResource.java:getInstance():97) - Instance is NULL!!! "init" must be called prior to calling this method!!
[OK]
----------
UserInfo...
ID: 14
Open ID: https://dev.esg.anl.gov/esgf-idp/openid/johnsmith
First Name: John
Middle Name:
Last Name: Smith
User Name: johnsmith
Email: [email protected]
Dn:
Organization:
Org Type:
City:
State:
Country:
StatusCode: 1
Permissions (Groups and Roles):
-- no permissions -- :-(
----------
At this point, our user is created. As you can see, he has been issued a new OpenID on the local system, but he has no group/role permissions.
To set a user's password in ESGF Shell, the command is included here for reference:
rootAdmin@dev:[esgf-sh]:[admin]> passwd -u johnsmith PASSWORD
password updated :-)
The password must be typed in clear text on the terminal. If it's not included at the end, you may run into confusing usage information.
When logged into the ESGF Shell as the superuser, simply issue the groupadd command to create a new group. Here's an example when creating a new group called ' TestGroup ':
rootAdmin@dev:[esgf-sh]:[admin]> groupadd TestGroup
group to create is: [TestGroup]
WARN [main] (DatabaseResource.java:getInstance():97) - Instance is NULL!!! "init" must be called prior to calling this method!!
auto approval: [true]
visible: [true]
[OK]
To exit the shell, simply type exit twice. We enter it twice because the first time exits the 'su'/admin mode, and the second time exits the shell.
rootAdmin@dev:[esgf-sh]:[admin]> exit
root@dev:[esgf-sh]> exit
Goodbye :-)
To modify the group and roles a user is a part of we can also use the esgf-sh (please note the caveat: as of the Borough Park node release, spaces in group names are not permitted [see note below]). Method1 - using the shell is preferred... Method 3 is the most technical (manipulating the internal node database directly) - it is _ NOT advised _ .
In order to add user " _ permissions _ " you need to associate a tuple of 3 values; the user, the group and the role. The permission is this associated triple. The esgf-sh command is associate . For any esgf-sh command you can use the _ --help _ flag to see the help information.
rootAdmin@dev:[esgf-sh]:[admin]> associate --help
usage: associate [-add | -remove | -remove_all | -remove_group_from_user |
-remove_role_from_user] [-g <groupname>] [-h] [-n] [-r <rolename>]
-u <username>
-add creates a permission entry from the given
(user,group,role) tuple
-g,--groupname <groupname> group name you wish to associate
-h,--help print this message
-n,--no_prompt suppress request confirmation before making
associations
-r,--rolename <rolename> role name you wish to associate
-remove removes the specified group and role from
specified user
-remove_all removes all group and roles associated with
user
-remove_group_from_user removes the specified group from specified
user
-remove_role_from_user removes the specified role from specified
user
-u,--username <username> user name you wish to associate
To perform the creation of the permission do the following:
rootAdmin@dev:[esgf-sh]:[admin]> associate -add -u johnsmith -g TestGroup -r user
username: [johnsmith]
groupname: [TestGroup]
rolename: [user]
add: [true]
Is this information correct and ready to be submitted? [Y/n] > y
----------
UserInfo...
ID: 5
Open ID: https://esgf-node1.llnl.gov/esgf-idp/openid/johnsmith
First Name: John
Middle Name:
Last Name: Smith
User Name: johnsmith
Email: [email protected]
Dn:
Organization:
Org Type:
City:
State:
Country:
StatusCode: 1
Permissions (Groups and Roles):
TestGroup user
----------
rootAdmin@dev:[esgf-sh]:[admin]>
The esgf-sh that is installed in the Borough Park release does not support group names with spaces in them. This has been addressed and this feature is supported in subsequent releases. For the most part one should eschew spaces in names. The convention is (bactrian) CamelCase or using underscore (_). Yes, clearly, "CMIP5 Research" violates this rule of thumb, but currently exists as-is due to historical inertia.
-gavin
TODO (anyone have this working? Add info here!)
(not recommended)
Log into the ESGF database using the admin account on the system. For our example, we are using the super user called _ dbsuper _ and the database named _ esgcet _ :
[root@dev bin]# /usr/local/pgsql/bin/psql -U dbsuper esgcet
Password for user dbsuper:
psql (8.4.7)
Type "help" for help.
esgcet=#
Once logged in, we need to issue a few queries to find out some pieces of information. Of particular interest are the id fields of the user and group that you're working with. For example, if we want to make our user 'johnsmith' a member of ' TestGroup ', we need the id of 'johnsmith' as a user, and the id of ' TestGroup ' as a group. We also need some role information, so determining all of that is illustrated below.
esgcet=# select id from esgf_security.user where username='johnsmith';
id
----
14
(1 row)
esgcet=# select id from esgf_security.group where name='TestGroup';
id
----
5
(1 row)
We see the user id in this example is 14 and the group id is 5.
Now we should discover the available roles:
esgcet=# select * from esgf_security.role;
id | name | description
----+-----------+---------------------
1 | super | Super User
2 | none | None
3 | default | Standard
4 | publisher | Data Publisher
5 | admin | Group Administrator
6 | User |
7 | user |
(7 rows)
If we've decided that _ johnsmith _ should be a _ publisher _ of the _ TestGroup _ , then we finally put that all together in the following query:
esgcet=# insert into esgf_security.permission values(14,5,4,'t');
INSERT 0 1
The values being inserted into this table are in the order of: user_id, group_id, role_id, approved . So the above query said that we are adding user id 14 (johnsmith) to group id 5 ( TestGroup ) with the role of id 4 (publisher) and that they're automatically approved. If we wanted to allow _ johnsmith _ to also be an admin of the group, we would use the admin role id of 5 and modify the query as follows:
esgcet=# insert into esgf_security.permission values(14,5,5,'t');
INSERT 0 1
For each additional role or group or user, we simply change the appropriate Ids in the query of this form.