streamtool lsdomainpermission

Usage

lsdomainpermission [-d,--domain-id <did>] [-U,--User <user>] [-h,--help] [--trace <level>] [-v,--verbose <level>] [--zkconnect {<host>:<port>},... | --embeddedzk] <principal>

The streamtool lsdomainpermission command lists the permissions that a user, group, or role has for domain security objects.

Authority

You must have write authority for the config domain object. By default, the DomainAdministrator role has this authority.

Description

Streams uses ACLs to enforce security. An ACL is composed of the type of object to secure and the actions that a group or user is authorized to perform against the object. Streams objects are hierarchical in nature, in that some objects are included by other objects. These relationships are sometimes referred to as parent and child relationships between the objects.

This command returns information about each of the domain security objects and the authority that the principal has for each of those objects. A principal can be a user, group, or role.

If the principal is a user, the command considers the groups and roles that the user belongs to when it calculates the authority that a user has for each security object. Likewise, if the principal is a group, the command also considers the roles that the group belongs to.

You can obtain similar information by running the streamtool lsdomainacl command or by running the streamtool getdomainacl command for each domain object, though those commands list the users, groups, and roles separately.

See also

streamtool lspermission

Options

-d,--domain-id <did>
Specifies the domain identifier.

If you do not specify this option, Streams uses the domain name that is set in the STREAMS_DOMAIN_ID environment variable. By default, that domain name is StreamsDomain. If you are using the interactive streamtool interface, it uses the name of the active domain for the current streamtool session or else it prompts you for the domain name.

The active domain for the current streamtool session is set every time that you successfully run a streamtool command with a -d or --domain-id option. Alternatively, you can run the streamtool domain command in the interactive interface.

--embeddedzk

Specifies to use the embedded copy of ZooKeeper. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify either this option or the --zkconnect option, Streams uses the ZooKeeper connection that is associated with the active domain or the domain that is specified in the --domain-id option. Streams determines which connection maps to the domain by using cached information about the domains. In this scenario, if the domain identifier is not unique in the Streams configuration cache, the command fails.

-h,--help
Specifies to show the command syntax.
--trace <level>
Specifies the trace setting. The following valid levels are listed in order of increasing verbosity, which is to say that the first level in the list generates the least amount of information:
  • off
  • error
  • warn
  • info
  • debug
  • trace
The default value is off.
-U,--User <user>
Specifies an Streams user ID that has authority to run the command.
-v,--verbose <level>
Specifies to provide more detailed command output. The verbosity level can be 0-3, where 0 disables detailed reporting and each increment provides more detailed output.
--zkconnect <{<host>:<port>},...>

The name of one or more host and port pairs that specify the configured ZooKeeper servers. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify this option, Streams tries to use:

  1. The --embeddedzk option
  2. The value from the STREAMS_ZKCONNECT environment variable
  3. A ZooKeeper connection string that is derived from cached information about the current domain.

Arguments

principal
Specifies the principal. It must have the format type:name. The type can be u, user, g, group, r, or role. If you do not specify the type, it has a default value of user. The name is the name of a user, group, or role.

Examples

In the following example, the command returns the access control information for the user bsmith:

[streamtool <?@StreamsDomain.StreamsInstance> lsdomainpermission u:bsmith
config:rw---o
domain:rws-do
hosts:rwsado
instances:--sa-o
system-log:rws--o

The command output indicates that the user has seach (s), add (a), and own (o) authority for instances, for example.