14.7. View and manage Permissions via CLI
- View permissions
- Manage permissions
- View the list of objects accessible by a user
- View the list of objects accessible by a group
- Change
OWNERproperty
Cloud Pipeline CLI has to be installed. See 14. Command-line interface (CLI).
View permissions
To view permissions for the object you need READ permission for the object. See 13. Permissions.
Command to list all permissions for a specific object:
pipe view-acl -t|--object-type <Object type> <Object id/name>
Two parameters are required:
- Object type - defines a name of the object class. Possible values:
pipeline,folder,data_storage. - Object id/name - defines a name of an object of a specified class.
Note: full path to the object has to be specified.
In the example below we check permissions for the folder "workfolder/manage-permissions-folder":
pipe view-acl -t folder "workfolder/manage-permissions-folder"
To check permissions for the Data Storage with ID 3976:
pipe view-acl --object-type data_storage 3976
Manage permissions
To manage permissions for the object you need to be an OWNER of that object or you need to have the ADMIN role. See 13. Permissions.
Command to set permissions for the object:
pipe set-acl -t|--object-type <Object type> -s|--sid <User/Group name> [-g|--group] -a|--allow/-d|--deny/-i|--inherit <w>/<x>/<r> <Object id/name>
The following parameters are required:
- Object type - defines a name of the object class. Possible values:
pipeline,folder,data_storage. - User or Group name - defines a name of an user or a group (role) for whom permissions will be set.
Note: the option-g(or--group) shall be necessarily specified when permissions are being set for a group (role) - Allow (
-aor--allow), Deny (-dor--deny), Inherit (-ior--inherit) - actions that could be performed with permissions. - WRITE (
w), READ (r) and EXECUTE (x) - permissions for setting. - Object id or name - defines an ID or name of an object of the specified class to set permissions for.
Note: full path to the object has to be specified if the name is not unique (in cases for Data Storage, Pipeline).
Note: permissions and actions over them could be written in command in any combinations. See examples below.
Example: set permissions for a folder
Here we demonstrate how to set permissions for a folder. You can set permissions for other CP objects in the same way.
In the example below we grant the user USER3 READ access and deny WRITE and EXECUTE access to the directory "workfolder/manage-permissions-folder".
pipe set-acl -t folder -s USER3 -d wx -a r "workfolder/manage-permissions-folder"
Example: set permissions for a pipeline
In the example below we grant the role ROLE_USER READ and WRITE access to the pipeline with ID 5937.
pipe set-acl --object-type pipeline --sid ROLE_USER --group --allow rw 5937
View the list of objects accessible by a user
To view objects accessible for a user you shall have the ROLE_ADMIN role.
The command to view the full list of objects accessible by a user:
pipe view-user-objects <Username> [OPTIONS]
Where <Username> defines the name of the user for which you wish to view the accessible object list.
| Options | Description |
|---|---|
| Non-required options | |
-t / --object-type <OBJECT_TYPE> |
Defines a name of the object class. If specified, the command output will contain only the list of accessible objects of the specific type by a user. Possible values: pipeline, folder, data_storage, configuration, docker_registry, tool, tool_group |
In the example below we'll print the list of objects accessible to the user user3:
pipe view-user-objects user3
In the example below we'll print the list of pipelines accessible to the user demo:
pipe view-user-objects -t pipeline demo
View the list of objects accessible by a group
To view objects accessible for a group you shall have the ROLE_ADMIN role.
The command to view the full list of objects accessible by a user group/role:
pipe view-group-objects <Groupname> [OPTIONS]
Where <Groupname> defines the name of the user group/role for which you wish to view the accessible object list.
| Options | Description |
|---|---|
| Non-required options | |
-t / --object-type <OBJECT_TYPE> |
Defines a name of the object class. If specified, the command output will contain only the list of accessible objects of the specific type by a user group. Possible values: pipeline, folder, data_storage, configuration, docker_registry, tool, tool_group |
In the example below we'll print the list of objects accessible to the role ROLE_USER:
pipe view-group-objects ROLE_USER
In the example below we'll print the list of pipelines accessible to the group LIBRARY:
pipe view-group-objects -t pipeline ROLE_LIBRARY
Change OWNER property
Each object has a mandatory OWNER property.
You can change an owner of the Cloud Pipeline object via CLI. Please note, for do that, you shall be an object OWNER or have the ROLE_ADMIN role.
Note: how to change an object owner via the GUI see here.
Command to change an owner of the object:
pipe chown <User name> <Object class> <Object id/name>
Three parameters shall be specified:
- User name - defines a user name of a desired object owner.
- Object class - defines a name of the object class. Possible values:
data_storage,docker_registry,folder,pipeline,tool,tool_group,configuration. - Object id/name - defines an ID or name of an object of the specified object class.
Note: full path to the object has to be specified. Paths to Docker registry and Tool objects should include registry IP address.
The example below will change an owner to USER3 for the pipeline with ID 5937:
pipe chown USER3 pipeline 5937