Example: Configuring user access to an enterprise domain and instance by using roles

This example shows how you can use roles to configure user access to a Teracloud® Streams enterprise domain and instance. A role is a set of permissions or access rights. You can create roles or use default roles such as DomainAdministrator, DomainUser, InstanceAdministrator, and InstanceUser.

Before you begin

Create an enterprise domain.

About this task

Teracloud® Streams checks authority and manages permissions for all of the domain and instance objects at the domain level. Role information is stored in Apache ZooKeeper. You can assign roles to users or groups of users. You can then secure domain or instance objects by setting the permissions for the role in a Teracloud® Streams access control list (ACL).

Procedure

  1. To complete this procedure in the interactive streamtool interface, enter the following command: 
        streamtool
    Using the interactive streamtool interface saves you time. Teracloud® Streams caches some command options and information so that you do not have to reenter them. Also, you do not have to specify streamtool before each command. To exit the interactive streamtool interface, enter exit or quit.
  2. Start the enterprise domain.
    You are prompted to provide an LDAP user ID and password, which must have the necessary authority to run the command.
    For example:
    startdomain -d testerdomain
CDISA0064I Starting authorization service.
User:tester
Password:********
CDISA0021I Starting domain testerdomain.
...
  3. To view the roles in the domain, use the streamtool lsdomainrole command.

    When you create an enterprise domain, Teracloud® Streams creates the DomainAdministrator and DomainUser roles. By default, the domain owner is added to the DomainAdministrator role.

    For example:
    lsdomainrole
Role: DomainAdministrator
  Users: tester
  Groups: 
Role: DomainUser
  Users: 
  Groups:
  4. To assign a role to another user, use the streamtool adduserdomainrole command.
    For example: 
    adduserdomainrole DomainAdministrator frank
User:tester
Password:********
CDISC0150I Role DomainAdministrator for domain testerdomain has been assigned to user frank.
    Any user can log in to the domain but might not have permission to perform certain operations.
    In this case, the user frank is a domain administrator, and has the authority to access the testerdomain domain and run commands that require administrator authority, such as the following command:
    lsdomainrole
User:frank
Password:********
Role: DomainAdministrator
  Users: frank,tester
  Groups: 
Role: DomainUser
  Users: 
  Groups:
  5. To list all of the access control lists in the domain, users who have DomainAdministrator roles can use the streamtool lsdomainacl command.
    For example:
    lsdomainacl -U tester
User tester password:********
# object: applications
# parent: domain
# owner: nobody
# persistent: yes
user:bsmith:--sa-o
role:DomainAdministrator:--sa-o
default:user:owner:rw--do
default:user:bsmith:rw--do
default:role:DomainAdministrator:rw--do
# object: charts
# parent: domain
# owner: nobody
# persistent: yes
user:bsmith:--sa-o
role:DomainAdministrator:--sa-o
default:user:owner:rw--do
default:user:bsmith:rw--do
default:role:DomainAdministrator:rw--do
# object: config
...
  6. To assign a user to the DomainUser role, use the streamtool adduserdomainrole command.
    For example:
    adduserdomainrole DomainUser wilriker
CDISC0150I Role DomainUser for domain testerdomain has been assigned to user wilriker.
    If a user with the DomainUser role tries to stop the domain, the command fails.
    For example:
    stopdomain -d testerdomain -U wilriker
User wilriker password:********
CDISA5058E User wilriker is not authorized to stop domain testerdomain.
  7. To list the permissions that a user has for objects in the domain, users with the DomainAdministrator role can use the streamtool lsdomainpermission command.
    For example, the user frank can list the permissions that the user wilriker has in the domain by entering the following command:
    lsdomainpermission wilriker -U frank
User frank password:********
applications:------
charts:------
config:------
domain:--s---
hosts:------
instances:------
system-log:------
views:------
    The user frank can also list his own permissions for objects in the domain as shown in the following example:
    lsdomainpermission frank -U frank
applications:--sa-o
charts:--sa-o
config:rw---o
domain:rws-do
hosts:rwsado
instances:--sa-o
system-log:rws--o
views:--sa-o
  8. To create an instance, use the streamtool mkinstance command.
    For example, the user frank can create an instance by using the following command:
    mkinstance -i testerinstance 
CDISA0026I Creating instance testerinstance in domain testerdomain.
CDISA0027I Instance testerinstance created in domain testerdomain successfully.
  9. To view the roles in the instance, use the streamtool lsrole command.

    When an instance is created Teracloud® Streams creates the InstanceAdministrator and InstanceUser roles. By default, the instance owner is added to the InstanceAdministrator role.

    For example:
    lsrole
Role: InstanceAdministrator
  Users: frank
  Groups: 
Role: InstanceUser
  Users: 
  Groups:
  10. To list all of the access control lists in the instance, users that have InstanceAdministrator or DomainAdministrator roles can use the streamtool lsacl command.
    For example:
    lsacl
# object: application-log
# parent: instance
# owner: nobody
# persistent: yes
user:frank:rws--o
user:bsmith:rws---
role:DomainAdministrator:rws--o
role:InstanceAdministrator:rws--o
# object: applications
# parent: instance
# owner: nobody
# persistent: yes
user:frank:--sa-o
role:DomainAdministrator:--sa-o
role:InstanceAdministrator:--sa-o
default:user:frank:rw--do
default:user:owner:rw--do
default:role:DomainAdministrator:rw--do
default:role:InstanceAdministrator:rw--do
# object: charts
...
  11. To assign a role to another user, the instance administrator can use the streamtool adduserrole command.
    In the following example, the user frank adds the user wilriker to the InstanceAdministrator role:
    adduserrole -i testerinstance -d testerdomain InstanceAdministrator wilriker
CDISC0156I Role InstanceAdministrator for instance testerinstance in domain testerdomain has been assigned to user wilriker.
  12. To view the roles in the instance, use the streamtool lsrole command.
    For example:
    lsrole
Role: InstanceAdministrator
  Users: frank,wilriker
  Groups: 
Role: InstanceUser
  Users: 
  Groups:
  13. To start the instance, an administrator can use the streamtool startinstance command.
    An administrator is a user who has either the DomainAdministrator or InstanceAdministrator role. Only an administrator can start or stop an instance.
    In the following example, the instance owner frank starts the instance by entering the following command:
    startinstance -i testerinstance -d testerdomain -U frank
CDISA0030I Starting instance testerinstance in domain testerdomain.
...
CDISA0031I Instance testerinstance started successfully in domain testerdomain.
    The user wilriker, who has the InstanceAdministrator role, can also start the instance with the following command:
    startinstance -i testerinstance -d testerdomain -U wilriker
CDISA0030I Starting instance testerinstance in domain testerdomain.
...
CDISA0031I Instance testerinstance started successfully in domain testerdomain.
    The user tester, who has the DomainAdministrator role, can stop the instance with the following command:
    stopinstance  -i testerinstance -d testerdomain -U tester
User tester password:********
CDISA0032I Stopping instance testerinstance in domain testerdomain.
...
CDISA0033I Instance testerinstance stopped successfully in domain testerdomain.