User Management

A Ondat cluster admin can create users and restrict their access rights to Ondat namespaces using policies.

Note: Users are created with access to the default namespace. This access is only revoked when a policy is created for the user or their group.

Creating users

To create a user with the CLI, run:

$ storageos user create jim --groups qa

The above command will create a user named jim and add them to the group qa. The command will also prompt you to enter a password for the newly created user.

The groups flag is optional and the group will be created if it does not already exist.

List all users

To view all users, run:

$ storageos user ls
ID                                    USERNAME   GROUPS  ROLE
a3b2948c-c5ef-116c-35c0-0cf4a42acf79  storageos          admin
395f9e99-8f60-52e7-6a90-36096666fea3  test       test    user

Inspect users

To inspect a user, run:

$ storageos user inspect jim
[
    {
        "id": "7f27fa40-ffdf-c443-1e60-214378003b97",
        "username": "jim",
        "groups": "qa",
        "role": "user"
    }
]

Update a user

To update a users attributes, run:

$ storageos user update jim --add-groups dev

The above command would add jim to the dev group. To see all the options that update has use the command below:

$ storageos user update --help

Deleting users

To delete a user, run:

$ storageos user rm jim

Altering the Ondat API account

When installing with the Ondat Operator, the Ondat API account is defined by the storageos-api secret.

For installations using the native driver, Kubernetes uses the account defined in the secret to authenticate against the Ondat API. Therefore if the account details are changed, the Kubernetes storageos-api secret needs to be updated. In order to update the secret you need to base64 encode the new username/password and edit the storageos-api secret to reflect the new account details.

echo -n USERNAME | base64
echo -n PASSWORD | base64
kubectl edit secret storageos-api

For installations using CSI the storageos-api secret is used to define the default account credentials. However as Kubernetes communicates with Ondat via the CSI socket, the secret is not used after cluster bootstrapping.