Arvados Docs
  1. Topics
    1. Arvados admin overview
  2. Users and Groups
    1. User management
    2. User management at the CLI
    3. Role group management at the CLI
    4. Reassign user data ownership
    5. Link user accounts
    6. Configuring federation
    7. Migrating users to federated accounts
    8. Changing upstream login providers
    9. Synchronizing from external sources
    10. Securing API access with scoped tokens
    11. Automatic logout and token expiration
  3. Monitoring
    1. Logging
    2. Metrics
    3. Health checks
    4. Inspecting active requests
    5. Diagnostics
    6. Management token
    7. User activity report
  4. Data Management
    1. Configuring collection versioning
    2. Configuring collection's managed properties
    3. Restricting upload or download
    4. Balancing Keep servers
    5. Preventing container reuse
    6. Logs table management
    7. Metadata vocabulary
    8. Configuring storage classes
    9. Recovering data
    10. Measuring deduplication
    11. Faster garbage collection in S3
  5. Cloud
    1. Using Preemptible instances
    2. Testing cloud configuration

User management at the CLI

Initial setup

ARVADOS_API_HOST=pirca.arvadosapi.com
ARVADOS_API_TOKEN=1234567890qwertyuiopasdfghjklzxcvbnm1234567890zzzz

In these examples, zzzzz-tpzed-3kz0nwtjehhl0u4 is the sample user account. Replace with the uuid of the user you wish to manipulate.

See user management for an overview of how to use these commands.

Setup a user

This creates a default git repository and VM login. Enables user to self-activate using Workbench.

$ arv user setup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4

Deactivate user

$ arv user unsetup --uuid zzzzz-tpzed-3kz0nwtjehhl0u4

When deactivating a user, you may also want to reassign ownership of their data .

Directly activate user

$ arv user update --uuid "zzzzz-tpzed-3kz0nwtjehhl0u4" --user '{"is_active":true}'

Note: this bypasses user agreements checks, and does not set up the user with a default git repository or VM login.

Create a token for a user

As an admin, you can create tokens for other users.

$ arv api_client_authorization create --api-client-authorization '{"owner_uuid": "zzzzz-tpzed-fr97h9t4m5jffxs"}'
{
 "kind":"arvados#apiClientAuthorization",
 "etag":"9yk144t0v6cvyp0342exoh2vq",
 "uuid":"zzzzz-gj3su-yyyyyyyyyyyyyyy",
 "owner_uuid":"zzzzz-tpzed-fr97h9t4m5jffxs",
 "created_at":"2020-03-12T20:36:12.517375422Z",
 "modified_by_user_uuid":null,
 "modified_at":null,
 "api_token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
 "created_by_ip_address":null,
 "expires_at":null,
 "last_used_at":null,
 "last_used_by_ip_address":null,
 "scopes":["all"]
}

To get the token string, combine the values of uuid and api_token in the form “v2/$uuid/$api_token”. In this example the string that goes in ARVADOS_API_TOKEN would be:

ARVADOS_API_TOKEN=v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Delete a single token

As a user or admin, if you need to revoke a specific, known token, for example a token that may have been leaked to an unauthorized party, you can delete it at the command line.

First, determine the token UUID. If it is a “v2” format token (starts with “v2/”) then the token UUID is middle section between the two slashes. For example:

v2/zzzzz-gj3su-yyyyyyyyyyyyyyy/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

the UUID is “zzzzz-gj3su-yyyyyyyyyyyyyyy” and you can skip to the next step.

If you have a “bare” token (only the secret part) then, as an admin, you need to query the token to get the uuid:

$ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv --format=uuid api_client_authorization current
zzzzz-gj3su-yyyyyyyyyyyyyyy

Now you can delete the token:

$ ARVADOS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx arv api_client_authorization delete --uuid zzzzz-gj3su-yyyyyyyyyyyyyyy

Delete all tokens belonging to a user

First, obtain a valid token for the user.

Then, use that token to get all the user’s tokens, and delete each one:

$ ARVADOS_API_TOKEN=xxxxtoken-belonging-to-user-whose-tokens-will-be-deletedxxxxxxxx ; \
for uuid in $(arv --format=uuid api_client_authorization list) ; do \
arv api_client_authorization delete --uuid $uuid ; \
done

Adding Permissions

VM login

Give $user_uuid permission to log in to $vm_uuid as $target_username and make sure that $target_username is a member of the docker group

user_uuid=xxxxxxxchangeme
vm_uuid=xxxxxxxchangeme
target_username=xxxxxxxchangeme

read -rd $'\000' newlink <<EOF; arv link create --link "$newlink"
{
"tail_uuid":"$user_uuid",
"head_uuid":"$vm_uuid",
"link_class":"permission",
"name":"can_login",
"properties":{"username":"$target_username", "groups": [ "docker" ]}
}
EOF
Previous: User management Next: Role group management at the CLI

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.