Example: Removing security permissions for Teracloud® Streams users

Removing the security permissions for a user might require that you remove role or group permissions in addition to the specific user permissions. This example shows you how to remove the security permissions for a Teracloud® Streams user by removing both specific user permissions and role permissions.

Procedure

  1. Create a Teracloud® Streams domain and instance, and start the domain.
    For example:
    export STREAMS_ZKCONNECT=external-ZooKeeper-connection-string
streamtool mkdomain -d domain1 --property sws.port=0 --property jmx.port=0
streamtool genkey -d domain1
streamtool startdomain -d domain1
streamtool mkinstance -d domain1 -i instance1
    For more information about creating domains and instances, see Setting up a Teracloud Streams enterprise domain on multiple resources.
  2. To complete this procedure in the interactive streamtool interface, enter the following command: 
        streamtool
    Using the interactive streamtool interface saves you time. Teracloud® Streams caches some command options and information so that you do not have to reenter them. Also, you do not have to specify streamtool before each command. To exit the interactive streamtool interface, enter exit or quit.
  3. Create the Example role.
    mkrole -d domain1 -i instance1 Example
CDISC0154I The Example role was created for following instance: instance1.  The instance is in the domain1 domain.
  4. Add the user to the Example role.
    You do not have to reenter the domain and instance name on this and subsequent commands because this information is cached.
    adduserrole Example user1
CDISC0156I The Example role was assigned to the following user: user1. The role applies to the instance1 instance in the domain1 domain.
  5. View the access control list (ACL) for the config instance security object.
    getacl config
# object: config
# parent: instance
# owner: DomainAdministrator
# persistent: yes
user:admin1:rw---o
role:InstanceUser:r-----
role:DomainAdministrator:rw---o
role:InstanceAdministrator:rw---o
  6. View the permissions for user1. Note that user1 has no permissions
    lspermission user1
application-log:------
config:------
hosts:------
instance:------
jobgroup_default:------
jobs:------
jobs-override:------
system-log:------
  7. Configure read and write permission on the config instance security object for user1.
    setacl user:user1:rw config
CDISC0019I The access control list for the instance1 instance in the domain1 domain was updated.
  8. Configure read and write permission on the config instance security object for the Example role.
    setacl role:Example:rw config
CDISC0019I The access control list for the instance1 instance in the domain1 domain was updated.
  9. View the permissions for user1. Note that user1 has read and write (rw) permission on the config instance security object.
    lspermission user1
application-log:------
config:rw----
hosts:------
instance:------
jobgroup_default:------
jobs:------
jobs-override:------
system-log:------
  10. Remove read and write permission on the config instance security object for user1.
    setacl user:user1-rw config
CDISC0019I The access control list for the instance1 instance in the domain1 domain was updated.
  11. View the permissions for user1. Note that the read and write permission on the config instance security object is not removed for user1. 
    lspermission user1
application-log:------
config:rw----
hosts:------
instance:------
jobgroup_default:------
jobs:------
jobs-override:------
system-log:------
  12. View the ACL on the config instance security object and note that the Example role has read and write permission.
    getacl config
# object: config
# parent: instance
# owner: DomainAdministrator
# persistent: yes
user:admin1:rw---o
role:InstanceUser:r-----
role:Example:rw----
role:DomainAdministrator:rw---o
role:InstanceAdministrator:rw---o
  13. List the instance roles and note that user1 is a member of the Example role.
    lsrole
Role: Example
  Users: user1
  Groups:
Role: InstanceAdministrator
  Users: admin1
  Groups:
Role: InstanceUser
  Users:
  Groups:
  14. Remove read and write permission on the config instance security object for the Example role.
    setacl role:Example-rw config
CDISC0019I The access control list for the instance1 instance in the domain1 domain was updated.
  15. View the permissions for user1. Note that the read and write permission on the config instance security object is now removed for user1. 
    lspermission user1
application-log:------
config:------
hosts:------
instance:------
jobgroup_default:------
jobs:------
jobs-override:------
system-log:------
  16. To exit the interactive streamtool interface, enter exit or quit.