This is the multi-page printable view of this section. Click here to print.
Eucalyptus manages access to the cloud by policies attached to accounts, groups, and users. This section details access-related tasks you can perform once your administrator allows you access to Eucalyptus. These tasks are split into the following areas: tasks for groups, and tasks for users, and tasks for credential management.
Groups are used to share resource access authorizations among a set of users within an account. Users can belong to multiple groups.
To create a group perform the steps listed in this topic.Enter the following command:
euare-groupcreate -g <group_name>
Eucalyptus does not return anything.
To add a group policy perform the steps listed in this topic.Enter the following command:
euare-groupaddpolicy -g <group_name> -p <policy_name> -e <effect> -a
<actions> -o
The optional -o parameter tells Eucalyptus to return the JSON policy, as in this example:
{"Version":"2008-10-17","Statement":[{"Effect":"Allow", "Action":["ec2:RunInstances"], "Resource":["*"]}]}
To modify a group perform the steps listed in this topic.Modifying a group is similar to a “move” operation. Whoever wants to modify the group must have permission to do it on both sides of the move. That is, you need permission to remove the group from its current path or name, and put that group in the new path or name.
For example, if a group changes from one area in a company to another, you can change the group’s path from /area_abc/ to /area_efg/ . You need permission to remove the group from /area_abc/ . You also need permission to put the group into /area_efg/ . This means you need permission to call UpdateGroup on both arn:aws:iam::123456789012:group/area_abc/* and arn:aws:iam::123456789012:group/area_efg/* .
Enter the following command to modify the group’s name:
euare-groupmod -g <group_name> --new-group-name <new_name>
Eucalyptus does not return a message. Enter the following command to modify a group’s path:
euare-groupmod -g <group_name> -p <new_path>
Eucalyptus does not return a message.
To add a user to a group perform the steps listed in this topic.Enter the following command:
euare-groupadduser -g <group_name> -u <user-name>
To remove a user from a group perform the steps listed in this topic.Enter the following command:
euare-groupremoveuser -g <group_name> -u <user-name>
To list groups perform the steps listed in this topic.Enter the following command:
euare-grouplistbypath
Eucalyptus returns a list of paths followed by the ARNs for the groups in each path. For example:
arn:aws:iam::eucalyptus:group/groupa
To delete a group perform the steps listed in this topic.When you delete a group, you have to remove users from the group and delete any policies from the group. You can do this with one command, using the euare-groupdel command with the -r option. Or you can follow the following steps to specify who and what you want to delete.
Individually remove all users from the group.
euare-groupremoveuser -g <group_name> -u <user_name>
Delete the policies attached to the group.
euare-groupdelpolicy -g <group_name> -p <policy_name>
Delete the group.
euare-groupdel -g <group_name>
The group is now deleted.
Users are subsets of accounts and are added to accounts by an appropriately credentialed administrator. While the term user typically refers to a specific person, in Eucalyptus, a user is defined by a specific set of credentials generated to enable access to a given account. Each set of user credentials is valid for accessing only the account for which they were created. Thus a user only has access to one account within a Eucalyptus system. If an individual person wishes to have access to more than one account within a Eucalyptus system, a separate set of credentials must be generated (in effect a new ‘user’) for each account (though the same username and password can be used for different accounts).
When you need to add a new user to your Eucalyptus cloud, you’ll go through the following process:
To add a user, perform the steps in this topic.Enter the following command
euare-usercreate -u <user_name> -g <group_name> -k
Eucalyptus does not return a response.
To create a login profile, perform the tasks in this topic.Enter the following command:
euare-useraddloginprofile -u <user_name> -p <password>
Eucalyptus does not return a response.
Modifying a user is similar to a “move” operation. To modify a user, you need permission to remove the user from the current path or name, and put that user in the new path or name.For example, if a user changes from one team in a company to another, you can change the user’s path from /team_abc/ to /team_efg/ . You need permission to remove the user from /team_abc/ . You also need permission to put the user into /team_efg/ . This means you need permission to call UpdateUser on both arn:aws:iam::123456789012:user/team_abc/* and arn:aws:iam::123456789012:user/team_efg/* .
To rename a user:
Enter the following command to rename a user:
euare-usermod -u <user_name> --new-user-name <new_name>
Eucalyptus does not return a message. Enter the following command:
euare-groupmod -u <user_name> -p <new_path>
Eucalyptus does not return a message.
Enter the following command:
euare-usermod -u <user_name> -p <new_path>
Eucalyptus does not return a message.
To change a user’s password using the CLI:
Enter the following command:
euare-usermodloginprofile -u [username] -p [password]
Eucalyptus does not return a message.
To list users within a path, perform the steps in this topic.Use the euare-userlistbypath command to list all the users in an account or to list all the users with a particular path prefix. The output lists the ARN for each resulting user.
euare-userlistbypath -p <path>
To delete a user, perform the tasks in this topic.Enter the following command
euare-userdel -u <user_name>
Eucalyptus does not return a response.
Eucalyptus uses different types of credentials for different purposes. This section details tasks needed to allow access to Eucalyptus services.
The first time you get credentials using the Eucalyptus Administrator Console, a new secret access key is generated. On each subsequent request to get credentials, an existing active secret Key is returned. You can also generate new keys using the command.
euare-useraddkey USERNAME
To generate a private key and an X.509 certificate pair, enter the following:
euare-usercreatecert USERNAME
To upload a certificate provided by a user:
Enter the following command:
euare-useraddcert -u <user_name> -f <cert_file>