Pulp Users
It is important to not confuse users with consumers. A consumer represents a client system connecting to and retrieving content from a Pulp server. Users, on the other hand, are used for two purposes:
- Running administrative commands using pulp-admin
- Registering new consumers using pulp-consumer
All pulp-admin commands accept two parameters to capture authentication credentials:
- Username: -u or --username
- Password: -p or --password
These arguments are passed to the pulp-admin script itself and not the command being executed:
# Correct $ pulp-admin -u admin -p admin repo list # Incorrect $ pulp-admin repo list -u admin -p admin
Logging In
Log In
Rather than specifying the credentials on each call to pulp-admin, a user can log in to the Pulp server. Logging in stores a user credentials certificate at ~/.pulp/user-cert.pem. Logging in is done through the auth login command:
$ pulp-admin auth login -u admin -p admin User credentials successfully stored at [/home/pulp-user/.pulp]
Subsequent commands to pulp-admin will no longer require the username/password arguments and will instead use the user certificate.
Log Out
To log out of a Pulp server, the auth logout command is used. Subsequent calls to pulp-admin will require either the username/password arguments or for auth login to be run again:
$ pulp-admin auth logout User credentials removed from [/home/pulp-user/.pulp]
User Management
The pulp-admin script provides basic user manipulation functionality. The first step in a new Pulp installation should be to use the user update command to change the default admin password.
Create
Pulp stores a limited set of information about its users. The only required piece of information is the username which must be unique in a given Pulp server:
$ pulp-admin user create --username hal Enter password for user hal: Successfully created user [ hal ] with name [ ]
The following attributes can be specified at user creation:
| Name | Flag | Description |
| Username | --username | Required. Username that will be used when logging into the Pulp server. This must be unique for each user in the system. |
| Name | --name | Optional display name to further identify the user. |
Immediately after calling the user create command, a non-echo prompt is used to securely request the user's initial password.
A more complete example of creating a user is as follows:
$ pulp-admin user create --username hal --name "Hal Jordan" Enter password for user hal: Successfully created user [ hal ] with name [ Hal Jordan ]
Delete
Users are removed from the Pulp server through the user delete command. The only argument is the username of the user being deleted:
$ pulp-admin user delete --username hal Successfully deleted User [ hal ]
Update
Once in the Pulp server, certain user information can be updated. Depending on the data being updated, the flow is slightly different:
Name
The display name for the user can be changed by passing the new value to the --name argument, having identified the user using --username:
$ pulp-admin user update --username hal --name "Hal Jordan" Successfully updated [ hal ] with name [ Hal Jordan ]
Password
As in the user creation, the password is entered through a non-echo prompt. As such, the --password argument does not accept a value. The prompt will appear once the command is entered:
$ pulp-admin user update --username hal --password Enter new password for user hal: Successfully updated [ hal ] with name [ Hal Jordan ]
List
The list of all users in the Pulp server can be retrieved with the user list command:
$ pulp-admin user list
+------------------------------------------+
Available Users
+------------------------------------------+
Login : admin
Name : None
Roles : super-users
Login : hal
Name : Hal Jordan
Roles :
Permissions
The pulp-admin script allows permissions to be manipulated for users. Permissions can be granted, revoked, and displayed through the permission command.
Display Permissions
Permissions are displayed using the permission show command, indicating the resource in question with the --resource argument:
$ pulp-admin permission show --resource /
+------------------------------------------+
Permissions for /
+------------------------------------------+
admin CREATE, READ, UPDATE, DELETE, EXECUTE
Grant Permission
The permission grant command is used to create a new permission.
To grant a user permission, use the grant action. The following arguments are available to the permission grant command:
| Name | Flag | Description |
| Resource ID | --resource | Indicates the resource REST API path whose permissions are being manipulated. |
| Username | --user | Indicates the user to which access to the resource is being granted. |
| Operations | -o | Indicates the type of permission being granted. Multiple types can be specified using multiple instances of this flag. See the section below for more information on valid operations. |
Operations
The following are valid values for the operations flag when granting a permission:
- create
- read
- update
- delete
- execute
For example:
$ pulp-admin permission grant --resource /repositories/ --user user -o create -o update Operations ['CREATE', 'UPDATE'] granted to user [ user ] on resource [ /repositories/ ]
Revoke Permission
Revoking permissions works exactly the same as granting, but with the opposite results. The permission revoke command accepts the same arguments as permission grant.
$ pulp-admin permission revoke --resource /repositories/ --user user -o update Operations ['UPDATE'] revoked from user [ user ] on resource [ /repositories/ ]
Roles
In order to efficiently administer permissions, Pulp uses the notion of roles to enable an administrator to grant and revoke permission on a resource to a group of users instead of individually. The role command provides the ability to list the currently defined roles, retrieve information on a role, create/delete roles, and manage user membership in a role.
List Roles
The role list command is used to list the current roles.
$ pulp-admin role list
+------------------------------------------+
Available Roles
+------------------------------------------+
super-users
consumer-users
Role Information
The role info command retrieves detailed information for a role identified by the --role argument.
$ pulp-admin role info --role super-users
+------------------------------------------+
Role Information for super-users
+------------------------------------------+
Name super-users
Users admin
Permissions:
/ CREATE, READ, UPDATE, DELETE, EXECUTE
Create a Role
The role create command creates a new role using the --role argument to indicate it's name. Each role must have a unique name.
$ pulp-admin role create --role new-role Role [ new-role ] created
Delete a Role
The role delete command deletes an existing role.
$ pulp-admin role delete --role new-role Role [ new-role ] deleted
Add a User to a Role
Users are added to a role using the role add action. The following parameters are required:
| Name | Flag | Description |
| Role | --role | Name of the role; this role must already exist in the Pulp server. |
| Username | --user | Username of the user being added to the role. |
Users are added to an existing role using the role add command:
$ pulp-admin role add --role new-role --user user [ user ] added to role [ new-role ]
Remove a User from a Role
Users are removed from a role in much the same way as they are added using the role remove command:
$ pulp-admin role remove --role new-role --user user [ user ] removed from role [ new-role ]
Granting and Revoking Permissions to/from a Role
Permissions can be granted and revoked from roles just like users. User the permission grant or permission revoke command as noted above, but pass in the --role flag instead of --user:
$ pulp-admin permission grant --resource /repositories/ --role new-role -o create Operations ['CREATE'] granted to role [ new-role ] on resource [ /repositories/ ] $ pulp-admin permission revoke --resource /repositories/ --role new-role -o update Operations ['UPDATE'] revoked from role [ new-role ] on resource [ /repositories/ ]