The Command Line Interpreter (CLI) drives the admin and review APIs, allowing ad-hoc RBAC setup and interrogation. More info in the README.
This document also resides here: README-CLI.
PREREQUISITES
Completed the setup described: README-QUICKSTART
GETTING STARTED
THE COMMAND SYNTAX:
cli entity operation --arg1 --arg2 ... WHERE CLI EXECUTES A PACKAGE SCRIPT THAT MAPS TO THIS MODULE:
pyfortress.test.cliTHE ENTITY IS (PICK ONE)
user
role
object
perm
(These are source pointers to their locations in github)
The operation is (pick one):
add
mod
del
assign
deassign
grant
revoke
read
search
(These are just meta tags)
ARGUMENT FORMAT
Consists of two dashes ‘- -‘ plus the attribute name and value pair, with a space between them.
--attribute_name valueif an attribute value contains white space, enclose in single ‘ ‘ or double tics ” “.
--attribute_name 'some value' --attribute_name2 "still more values"For example, a perm grant:
$ cli perm grant --obj_name myobj --op_name add --role 'my role'This command invokes Python’s runtime with the program name, cli.py, followed by an entity type, operation name and multiple name-value pairs.
The above used –role is the only argument that isn’t an entity attribute name. It’s used on user assign, deassign, perm grant, revoke operations.
ARGUMENTS AS LISTS
For multi-occurring attributes, pass in as a list of string values, separated by whitespace
THE FOLLOWING ARGUMENTS ARE LISTS
—phones
--phones '+33 401 851 4679' '1-212-251-1111' '(028) 9024 6609'–mobiles
--mobiles ' 017x-1234567' '+44 020 7234 3456' '1-212-650-9632'–emails
--emails 'f.lst@somewhere.com' 'myaccount@gmail.com' 'myworkaccount@company.com'–props
--props 'name1:value1', 'name2:value2', 'name3:value3'each value contains a name:value pair
ARGUMENTS AS CONSTRAINT
Both the user and role entity support adding temporal constraint.
THE FOLLOWING ARGUMENTS COMPRISE A SINGLE CONSTRAINT
–-name : label for user, i.e uid
--name foo3For users, this can be any safe text. For role, it must already be passed in, with the role’s name.
–timeout : 99 – set the integer timeout that contains max time (in minutes) that entity may remain inactive.
--timeout 3030 minutes –begin_time : HHMM – determines begin hour entity may be activated.
--begin_time 09009:00 am — end_time : HHMM – determines end hour when entity is no longer allowed to activate.
--end_time 235911:59 pm –begin_date : YYYYMMDD – determines date when entity may be activated.
--begin_date 20150101Jan 1, 2015 –end_date : YYMMDD – indicates latest date entity may be activated.
--end_date 20191231Dec 31, 2019 –begin_lock_date : YYYYMMDD – determines beginning of enforced inactive status
--begin_lock_date 20180602Jun 2, 2018 –end_lock_date : YYMMDD – end of enforced inactive status.
--end_lock_date 20180610Jun 10, 2018 –day_mask : 1234567, 1 = Sunday, 2 = Monday, etc – day of week entity may be activated.
--day_mask 1246Sun, Mon, Wed, Fri
all together
cli user mod --uid someuser --name anysafetext --timeout 30 --begin_time 0900 --end_time 2359 --begin_date 20150101 --end_date 20191231 --begin_lock_date 20180602 --end_lock_date 20180610 --day_mask 1246
cli role add --name manager --description 'manager works 8-5, M-F' --timeout 10 --begin_time 0800 --end_time 1700 --begin_date 20100101 --end_date none --day_mask 1246
A Few Tips More
These commands have a one-to-one mapping to the admin and review APIs. For example, the perm grant command maps to the admin_mgr.grant function and perm search –uid calls review_mgr.user_perms.
The description of the commands, including required arguments, can be inferred via the api doc inline to the admin_mgr and review_mgr modules.
The program output echos the inputted arguments and the results.
EXAMPLES
Two sections, one each for admin and review commands. They’re not real-world use cases but include what’s currently working although this code is, how to say it, fresh.
ADMIN MGR
a. user add
$ cli user add --uid chorowitz --password 'secret' --description 'added with py-fortress cli'
uid=chorowitz
description=added with py-fortress cli
user add
successb. user mod
$ cli user mod --uid chorowitz --l my location --ou my-ou --department_number 123
uid=chorowitz
department_number=123
l=my location
ou=my-ou
user mod
successc. user del
$ cli user del --uid chorowitz
uid=chorowitz
user del
successd. user assign
$ cli user assign --uid chorowitz --role account-mgr
uid=chorowitz
role name=account-mgr
user assign
successe. user deassign
$ cli user deassign --uid chorowitz --role account-mgr
uid=chorowitz
role name=account-mgr
user deassign
successf. role add
$ cli role add --name account-mgr
name=account-mgr
role add
successg. role mod
$ cli role mod --name account-mgr --description 'this desc is optional'
description=cli test role
name=account-mgr
role mod
successh. role del
$ cli role del --name account-mgr
name=account-mgr
role del
successi. object add
$ cli object add --obj_name page456
obj_name=page456
object add
successj. object mod
$ cli object mod --obj_name page456 --description 'optional arg' --ou 'another optional arg'
obj_name=page456
ou=another optional arg
description=optional arg
object mod
successk. object del
$ cli object del --obj_name page789
obj_name=page789
object del
successl. perm add
$ cli perm add --obj_name page456 --op_name read
obj_name=page456
op_name=read
perm add
successm. perm mod
$ cli perm mod --obj_name page456 --op_name read --description 'useful for human readable perm name'
obj_name=page456
op_name=read
description=useful for human readable perm name
perm mod
successn. perm del
$ cli perm del --obj_name page456 --op_name search
obj_name=page456
op_name=search
perm del
successo. perm grant
$ cli perm grant --obj_name page456 --op_name update --role account-mgr
obj_name=page456
op_name=update
role name=account-mgr
perm grant
successp. perm revoke
$ cli perm revoke --obj_name page456 --op_name update --role account-mgr
obj_name=page456
op_name=update
role name=account-mgr
perm revoke
successREVIEW MGR
a. user read
$ cli user read --uid chorowitz
uid=chorowitz
user read
chorowitz
uid: chorowitz
dn: uid=chorowitz,ou=People,dc=example,dc=com
roles: ['account-mgr']
...
*************** chorowitz *******************
successb. user search
$ cli user search --uid c
uid=c
user search
c*:0
uid: canders
dn: uid=canders,ou=People,dc=example,dc=com
roles: ['csr', 'tester']
...
*************** c*:0 *******************
c*:1
uid: cedwards
dn: uid=cedwards,ou=People,dc=example,dc=com
roles: ['manager', 'trainer']
...
*************** c*:1 *******************
c*:2
uid: chandler
dn: uid=chandler,ou=People,dc=example,dc=com
roles: ['auditor']
...
*************** c*:2 *******************
c*:3
uid: chorowitz
dn: uid=chorowitz,ou=People,dc=example,dc=com
roles: ['account-mgr']
...
*************** c*:3 *******************
successc. role read
$ cli role read --name account-mgr
name=account-mgr
role read
account-mgr
dn: cn=account-mgr,ou=Roles,dc=example,dc=com
members: ['uid=cli-user2,ou=People,dc=example,dc=com', 'uid=chorowitz,ou=People,dc=example,dc=com']
internal_id: 5c189235-41b5-4e59-9d80-dfd64d16372c
name: account-mgr
constraint: <model.constraint.Constraint object at 0x7fc250bd9e10>
Role Constraint:
raw: account-mgr$0$$$$$$$
timeout: 0
name: account-mgr
*************** account-mgr *******************
successd. role search
$ cli role search --name py-
name=py-
role search
py-*:0
dn: cn=py-role-0,ou=Roles,dc=example,dc=com
description: py-role-0 Role
constraint: <model.constraint.Constraint object at 0x7f17e8745f60>
members: ['uid=py-user-0,ou=People,dc=example,dc=com', 'uid=py-user-1,ou=People,dc=example,dc=com', ... ]
internal_id: 04b82ce3-974b-4ff5-ad21-b19ecca57722
name: py-role-0
*************** py-*:0 *******************
py-*:1
dn: cn=py-role-1,ou=Roles,dc=example,dc=com
description: py-role-1 Role
constraint: <model.constraint.Constraint object at 0x7f17e8733128>
members: ['uid=py-user-8,ou=People,dc=example,dc=com', 'uid=py-user-9,ou=People,dc=example,dc=com']
internal_id: 70524da8-3be6-4372-a606-d8175e2ca63b
name: py-role-1
*************** py-*:1 *******************
py-*:2
dn: cn=py-role-2,ou=Roles,dc=example,dc=com
description: py-role-2 Role
constraint: <model.constraint.Constraint object at 0x7f17e87332b0>
members: ['uid=py-user-3,ou=People,dc=example,dc=com', 'uid=py-user-5,ou=People,dc=example,dc=com', 'uid=py-user-7,ou=People,dc=example,dc=com']
internal_id: d1b9da70-9302-46c3-b21b-0fc45b863155
name: py-role-2
*************** py-*:2 *******************
...
successe. object read
$ cli object read --obj_name page456
obj_name=page456
object read
page456
description: optional arg
dn: ftObjNm=page456,ou=Perms,dc=example,dc=com
internal_id: 1635cb3b-d5e2-4fcb-b61a-b8e91437e536
obj_name: page456
ou: another optional arg
successf. object search
$ cli object search --obj_name page
obj_name=page
object search
page*:0
props:
obj_name: page456
description: optional arg
dn: ftObjNm=page456,ou=Perms,dc=example,dc=com
ou: another optional arg
internal_id: 1635cb3b-d5e2-4fcb-b61a-b8e91437e536
page*:1
obj_name: page123
description: optional arg
dn: ftObjNm=page123,ou=Perms,dc=example,dc=com
ou: another optional arg
internal_id: a823ef98-7be4-4f49-a805-83bfef5a0dfb
successg. perm read
$ cli perm read --obj_name page456 --op_name read
op_name=read
obj_name=page456
perm read
page456.read
internal_id: 0dc55181-968e-4c60-8755-e20fa1ce017d
dn: ftOpNm=read,ftObjNm=page456,ou=Perms,dc=example,dc=com
abstract_name: page456.read
description: useful for human readable perm name
obj_name: page456
op_name: read
successh. perm search
$ cli perm search --obj_name page
obj_name=page
perm search
page*.*:0
abstract_name: page456.read
op_name: read
internal_id: 0dc55181-968e-4c60-8755-e20fa1ce017d
obj_name: page456
dn: ftOpNm=read,ftObjNm=page456,ou=Perms,dc=example,dc=com
description: useful for human readable perm name
page*.*:1
roles: ['account-mgr']
abstract_name: page456.update
op_name: update
internal_id: 626bca86-014b-4186-83a6-a583e39868a1
obj_name: page456
dn: ftOpNm=update,ftObjNm=page456,ou=Perms,dc=example,dc=com
page*.*:2
roles: ['account-mgr']
abstract_name: page456.delete
op_name: delete
internal_id: 6c2fa5fc-d7c3-4e85-ba7f-5e514ca4263f
obj_name: page456
dn: ftOpNm=delete,ftObjNm=page456,ou=Perms,dc=example,dc=com
successi. perm search (by role)
$ cli perm search --role account-mgr
perm search
account-mgr:0
abstract_name: page456.update
obj_name: page456
op_name: update
roles: ['account-mgr']
dn: ftOpNm=update,ftObjNm=page456,ou=Perms,dc=example,dc=com
internal_id: 626bca86-014b-4186-83a6-a583e39868a1
account-mgr:1
abstract_name: page456.delete
obj_name: page456
op_name: delete
roles: ['account-mgr']
dn: ftOpNm=delete,ftObjNm=page456,ou=Perms,dc=example,dc=com
internal_id: 6c2fa5fc-d7c3-4e85-ba7f-5e514ca4263f
successj. perm search (by user)
$ cli perm search --uid chorowitz
perm search
chorowitz:0
dn: ftOpNm=update,ftObjNm=page456,ou=Perms,dc=example,dc=com
internal_id: 626bca86-014b-4186-83a6-a583e39868a1
roles: ['account-mgr']
abstract_name: page456.update
obj_name: page456
op_name: update
chorowitz:1
dn: ftOpNm=delete,ftObjNm=page456,ou=Perms,dc=example,dc=com
internal_id: 6c2fa5fc-d7c3-4e85-ba7f-5e514ca4263f
roles: ['account-mgr']
abstract_name: page456.delete
obj_name: page456
op_name: delete
successEND
Comments