Add Roles to User via PachCTL

Before You Start #

You must have an active Enterprise key
You must have TLS enabled on your cluster
You must have an Authentication Provider (IdP) set up
- Auth0
- Okta
Review the Access Control (RBAC) Roles & Permissions.
Confirm you have the right role(s) to grant a user access to a given resource (e.g., you have the projectOwner role on a given project you wish to add other users to)

Tip

You can check your current roles and permissions on a given project by running the following:

pachctl auth check project <project-name>

Roles: [projectOwner]
Permissions: [REPO_READ REPO_INSPECT_COMMIT REPO_LIST_COMMIT REPO_LIST_BRANCH REPO_LIST_FILE REPO_INSPECT_FILE REPO_ADD_PIPELINE_READER REPO_REMOVE_PIPELINE_READER PIPELINE_LIST_JOB REPO_WRITE REPO_DELETE_COMMIT REPO_CREATE_BRANCH REPO_DELETE_BRANCH REPO_ADD_PIPELINE_WRITER REPO_MODIFY_BINDINGS REPO_DELETE PROJECT_LIST_REPO PROJECT_CREATE_REPO PROJECT_DELETE PROJECT_MODIFY_BINDINGS]

How to Assign Roles to a User #

As Root Admin #

This guide assumes resources (projects, repositories) have already been created in your cluster.

Note

You can skip steps 2 and 3 if you are using the MockIdP connector and just want to explore/practice, as you are already logged in as the admin user. Even though you can assign permissions to new users in MockIdP, you cannot log in as them.

Open your terminal.
Connect as the root user using the following command:
```
pachctl auth use-auth-token
```
Input your root token. If you did not initially set a pachd.rootToken or pachd.rootTokenSecretName in your Helm values.yaml configuration, the root token is autogenerated as a Kubernetes secret named pachyderm-auth that can be decoded and read using the following command:
```
kubectl get secret pachyderm-auth -o jsonpath="{.data.root-token}" | base64 --decode
```
Verify you are connected as the root user by running the following command:
```
pachctl auth whoami
```
```
You are "pach:root"
```

Run one of the following commands to assign a role:

pachctl auth set project <project-name> <role-name> user:<username@email.com>

pachctl auth set repo <repo-name> <role-name> user:<username@email.com>

pachctl auth set enterprise clusterAdmin user:<email>

pachctl auth set <resource> <resource-name> [role1,role2 | none ] <prefix:subject>

Admin Roles	Project Roles	Repo Roles	Misc Roles
clusterAdmin	projectViewer	repoReader	debugger
oidcAppAdmin	projectWriter	repoWriter	robotUser
idpAdmin	projectOwner	repoOwner	pachdLogReader
secretAdmin	projectCreator
identityAdmin
licenseAdmin

Confirm access by running the following command:

pachctl auth get project <project-name>

user:lawrence.lane@hpe.com: [projectOwner]

pachctl auth get repo <repo-name>

user:lawrence.lane@hpe.com: [repoOwner]

You can also use these steps to update a users permissions.

As Project Owner #

Open your terminal.
Log in.
```
pachctl auth login
```

Add a user and assign their role to a project that you own.

pachctl auth set project <project-name> <role-name> user:<username@email.com>

pachctl auth set repo <repo-name> <role-name> user:<username@email.com>

pachctl auth set enterprise clusterAdmin user:<email>

pachctl auth set <resource> <resource-name> [role1,role2 | none ] <prefix:subject>