Pulp Users

It is important to not confuse users with consumers. A consumer represents a client system connecting to and retrieving content from a Pulp server. Users, on the other hand, are used for two purposes:

All pulp-admin commands accept two parameters to capture authentication credentials:

These arguments are passed to the pulp-admin script itself and not the command being executed:

# Correct
$ pulp-admin -u admin -p admin repo list

# Incorrect
$ pulp-admin repo list -u admin -p admin

Logging In

Log In

Rather than specifying the credentials on each call to pulp-admin, a user can log in to the Pulp server. Logging in stores a user credentials certificate at ~/.pulp/user-cert.pem. Logging in is done through the auth login command:

$ pulp-admin auth login -u admin -p admin
User credentials successfully stored at [/home/pulp-user/.pulp]

Subsequent commands to pulp-admin will no longer require the username/password arguments and will instead use the user certificate.

Log Out

To log out of a Pulp server, the auth logout command is used. Subsequent calls to pulp-admin will require either the username/password arguments or for auth login to be run again:

$ pulp-admin auth logout
User credentials removed from [/home/pulp-user/.pulp]

User Management

The pulp-admin script provides basic user manipulation functionality. The first step in a new Pulp installation should be to use the user update command to change the default admin password.

Create

Pulp stores a limited set of information about its users. The only required piece of information is the username which must be unique in a given Pulp server:

$ pulp-admin user create --username hal
Enter password for user hal: 
Successfully created user [ hal ] with name [  ]

The following attributes can be specified at user creation:

Name Flag Description
Username --username Required. Username that will be used when logging into the Pulp server. This must be unique for each user in the system.
Name --name Optional display name to further identify the user.

Immediately after calling the user create command, a non-echo prompt is used to securely request the user's initial password.

A more complete example of creating a user is as follows:

$ pulp-admin user create --username hal --name "Hal Jordan"
Enter password for user hal: 
Successfully created user [ hal ] with name [ Hal Jordan ]

Delete

Users are removed from the Pulp server through the user delete command. The only argument is the username of the user being deleted:

$ pulp-admin user delete --username hal
Successfully deleted User [ hal ]

Update

Once in the Pulp server, certain user information can be updated. Depending on the data being updated, the flow is slightly different:

Name

The display name for the user can be changed by passing the new value to the --name argument, having identified the user using --username:

$ pulp-admin user update --username hal --name "Hal Jordan"
Successfully updated [ hal ] with name [ Hal Jordan ]

Password

As in the user creation, the password is entered through a non-echo prompt. As such, the --password argument does not accept a value. The prompt will appear once the command is entered:

$ pulp-admin user update --username hal --password
Enter new password for user hal: 
Successfully updated [ hal ] with name [ Hal Jordan ]

List

The list of all users in the Pulp server can be retrieved with the user list command:

$ pulp-admin user list
+------------------------------------------+
               Available Users
+------------------------------------------+

Login :               	admin                        
Name  :               	None                     
Roles :               	super-users               


Login :               	hal                          
Name  :               	Hal Jordan               
Roles :               	                         

Permissions

The pulp-admin script allows permissions to be manipulated for users. Permissions can be granted, revoked, and displayed through the permission command.

Display Permissions

Permissions are displayed using the permission show command, indicating the resource in question with the --resource argument:

$ pulp-admin permission show --resource /
+------------------------------------------+
              Permissions for /
+------------------------------------------+
  admin                	CREATE, READ, UPDATE, DELETE, EXECUTE

Grant Permission

The permission grant command is used to create a new permission.

To grant a user permission, use the grant action. The following arguments are available to the permission grant command:

Name Flag Description
Resource ID --resource Indicates the resource REST API path whose permissions are being manipulated.
Username --user Indicates the user to which access to the resource is being granted.
Operations -o Indicates the type of permission being granted. Multiple types can be specified using multiple instances of this flag. See the section below for more information on valid operations.

Operations

The following are valid values for the operations flag when granting a permission:

For example:

$ pulp-admin permission grant --resource /repositories/ --user user -o create -o update
Operations ['CREATE', 'UPDATE'] granted to user [ user ] on resource [ /repositories/ ]

Revoke Permission

Revoking permissions works exactly the same as granting, but with the opposite results. The permission revoke command accepts the same arguments as permission grant.

$ pulp-admin permission revoke --resource /repositories/ --user user -o update
Operations ['UPDATE'] revoked from user [ user ] on resource [ /repositories/ ]

Roles

In order to efficiently administer permissions, Pulp uses the notion of roles to enable an administrator to grant and revoke permission on a resource to a group of users instead of individually. The role command provides the ability to list the currently defined roles, retrieve information on a role, create/delete roles, and manage user membership in a role.

List Roles

The role list command is used to list the current roles.

$ pulp-admin role list
+------------------------------------------+
               Available Roles
+------------------------------------------+
  super-users
  consumer-users

Role Information

The role info command retrieves detailed information for a role identified by the --role argument.

$ pulp-admin role info --role super-users
+------------------------------------------+
      Role Information for super-users
+------------------------------------------+
Name                	super-users              
Users               	admin                    
Permissions:
  /                	CREATE, READ, UPDATE, DELETE, EXECUTE

Create a Role

The role create command creates a new role using the --role argument to indicate it's name. Each role must have a unique name.

$ pulp-admin role create --role new-role
Role [ new-role ] created

Delete a Role

The role delete command deletes an existing role.

$ pulp-admin role delete --role new-role
Role [ new-role ] deleted

Add a User to a Role

Users are added to a role using the role add action. The following parameters are required:

Name Flag Description
Role --role Name of the role; this role must already exist in the Pulp server.
Username --user Username of the user being added to the role.

Users are added to an existing role using the role add command:

$ pulp-admin role add --role new-role --user user
[ user ] added to role [ new-role ]

Remove a User from a Role

Users are removed from a role in much the same way as they are added using the role remove command:

$ pulp-admin role remove --role new-role --user user
[ user ] removed from role [ new-role ]

Granting and Revoking Permissions to/from a Role

Permissions can be granted and revoked from roles just like users. User the permission grant or permission revoke command as noted above, but pass in the --role flag instead of --user:

$ pulp-admin permission grant --resource /repositories/ --role new-role -o create
Operations ['CREATE'] granted to role [ new-role ] on resource [ /repositories/ ]

$ pulp-admin permission revoke --resource /repositories/ --role new-role -o update
Operations ['UPDATE'] revoked from role [ new-role ] on resource [ /repositories/ ]