streamtool lsjobpermission
Usage
lsjobpermission [-d,--domain-id <did>]
[-i,--instance-id <instance>] [-J,--jobgroup
<jobgroup-name>] [-U,--User <user>] [-h,--help]
[--trace <level>] [-v,--verbose <level>] [--zkconnect
{<host>:<port>},... | --embeddedzk]
The streamtool lsjobpermission command lists the permissions that users, groups, and roles have for a specific job group.
Authority
You must have write authority for the config instance object. By default, the DomainAdministrator and InstanceAdministrator roles have this authority. For more information about access control lists, see streamtool getacl.
Description
Streams uses access control lists (ACL) to enforce security. An ACL is composed of the type of object to secure and the actions that a group, user, or role is authorized to perform against the object.
This command lists details the users, groups, and roles that have one or more of the following privileges:
- ALL
- This privilege is equivalent to having add, read, write, search, delete, and own authority for the jobgroup_name instance object.
- DATAREAD
- Receive data from the jobs in the job group. This privilege is equivalent to having read authority for the jobgroup_name instance object.
- DATAWRITE
- Send data to the jobs in the job group. This privilege is equivalent to having write authority for the jobgroup_name instance object.
- JOBCONTROL
- Submit new jobs or stop jobs in the job group. This privilege is equivalent to having add and delete authority for the jobgroup_name instance object.
- OWN
- Change the permissions of the jobs in the job group. This privilege is equivalent to having own authority for the jobgroup_name instance object.
- SUBMIT
- Submit new jobs in the job group. This privilege is equivalent to having add authority for the jobgroup_name instance object.
- CUSTOM
- This privilege is a user-defined combination of permissions. To see details about the permissions for the jobgroup, use the streamtool getacl command.
Options
- -d,--domain-id <did>
- Specifies the domain identifier.
If you do not specify this option, Streams uses the domain name that is set in the STREAMS_DOMAIN_ID environment variable. By default, that domain name is
StreamsDomain. If you are using the interactive streamtool interface, it uses the name of the active domain for the current streamtool session or else it prompts you for the domain name.The active domain for the current streamtool session is set every time that you successfully run a streamtool command with a -d or --domain-id option. Alternatively, you can run the streamtool domain command in the interactive interface.
- --embeddedzk
Specifies to use the embedded copy of ZooKeeper. This option is not supported within the interactive streamtool interface.
If you are not using the interactive streamtool interface and you do not specify either this option or the --zkconnect option, Streams uses the ZooKeeper connection that is associated with the active domain or the domain that is specified in the --domain-id option. Streams determines which connection maps to the domain by using cached information about the domains. In this scenario, if the domain identifier is not unique in the Streams configuration cache, the command fails.
- -h,--help
- Specifies to show the command syntax.
- -i,--instance-id <instance>
- Specifies the instance identifier.
If you do not specify this option, Streams uses the instance identifier that is set in the STREAMS_INSTANCE_ID environment variable. By default, that instance identifier is
StreamsInstance. If you are using the interactive streamtool interface, it tries to use an instance ID that you specified in a previous command. If no such value is found, the command uses the STREAMS_INSTANCE_ID environment variable. Alternatively, you can run the streamtool instance command in the interactive interface. - -J,--jobgroup <jobgroup-name>
- Specifies the job group. If you do not specify this option, the
command uses the following job group:
default. - --trace <level>
- Specifies the trace setting. The following valid levels are
listed in order of increasing verbosity, which is to say that the
first level in the list generates the least amount of information:
offerrorwarninfodebugtrace
off. - -U,--User <user>
- Specifies an Streams user ID that has authority to run the command.
- -v,--verbose <level>
- Specifies to provide more detailed command output. The
verbosity level can be
0-3, where0disables detailed reporting and each increment provides more detailed output. - --zkconnect <{<host>:<port>},...>
The name of one or more host and port pairs that specify the configured ZooKeeper servers. This option is not supported within the interactive streamtool interface.
If you are not using the interactive streamtool interface and you do not specify this option, Streams tries to use:
- The --embeddedzk option
- The value from the STREAMS_ZKCONNECT environment variable
- A ZooKeeper connection string that is derived from cached information about the current domain.
Examples
In the following example, the command returns the access control information for a job group:
[streamtool <bsmith@mydomain.streams>] lsjobpermission -J jobgroup1 # object: jobgroup1 # parent: jobs # owner: bsmith user:owner:ALL user:bsmith:ALL role:testrole:SUBMIT role:InstanceUser:JOBCONTROL,DATAREAD role:DomainAdministrator:ALL role:InstanceAdministrator:ALL default:user:owner:ALL default:user:bsmith:ALL default:role:InstanceUser:JOBCONTROL,DATAREAD default:role:DomainAdministrator:ALL default:role:InstanceAdministrator:ALL
The output provides information about the authority each user and role has for the job group. For example, the "testrole" role has SUBMIT authority for the job group. The "default" permissions identify the set of permissions that are granted to new child objects in this job group when they are created by the specified users, groups, or roles.