Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CLI Toolkit

Example CLI User Set Up

search

Please Note:

Example CLI User Set Up

The following example will create a non-admin user named sarah and create a key. sarah will own the key and will be able to do things with it.

We will create a second user, named bob, and show he does not have access to sarah's key.

Next, we will add bob to a group. sarah will add a permission to the key, granting members of the group some permissions to the key. We'll then show that bob now has these permissions.

You can try these steps using the API playground, curl, or by using the CLI commands.

This exercise assumes that the user has already installed the CLI tool (ksctl) and has created a config.yaml file that is specific to their installation. Note that we will use the built-in user in some cases and override them in others. Any command without user/password credentials is using the built-in (admin) user.

  1. Create a new user called sarah.

    $ ksctl users create -n sarah -p Sarah_pw1

    The response to the create user command is a user resource that looks like:

    {
  "created_at": "2018-04-27T21:10:53.191577Z",
  "email": "",
  "last_login": null,
  "logins_count": 0,
  "name": "bob",
  "nickname": "bob",
  "updated_at": "2018-04-27T21:10:53.191577Z",
  "user_id": " local|0c617800-58f0-4cf9-85bd-8d75037d8bfb",
  "username": "sarah",
  "failed_logins_count": 0,
  "account_lockout_at": null,
  "failed_logins_initial_attempt_at": null,
  "last_failed_login_at": null,
  "password_changed_at": "2018-04-27T21:10:53.192083Z",
  "password_change_required": false
}

  2. Now create an AES key, which will be owned by sarah.

    We'll need to create a file containing the attributes of the key we want to create, then pass that file to the CLI tool:

    Windows

    $ echo {"name":"aeskey"} > keyparams.json

    Linux

    $ echo "{\"name\":\"aeskey\"}" > keyparams.json

    All systems

    $ ksctl –-user sarah –-password sarah_pw1 keys create -j keyparams.json

    The response to the create key command is a key resource that looks like:

    {
  "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868",
  "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU",
  "account": "kylo:kylo:admin:accounts:kylo",
  "application": "ncryptify:gemalto:admin:apps:kylo",
  "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
  "createdAt": "2018-04-27T20:56:11.731123593Z",
  "name": "aeskey",
  "updatedAt": "2018-04-27T20:56:11.731123593Z",
  "usage": "blob",
  "usageMask": 12,
  "meta": {
    "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb"
    },
  "algorithm": "AES",
  "size": 256,
  "format": "raw",
  "unexportable": false,
  "undeletable": false,
  "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0",
  "objectType": "Symmetric Key",
  "activationDate": "2018-04-27T20:56:11.729121368Z",
  "state": "Active"
}

  3. sarah is the owner of the key, which grants her permission to read the key:

    $ ksctl keys get -n aeskey

    The response looks like:

    {
  "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868",
  "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU",
  "account": "kylo:kylo:admin:accounts:kylo",
  "application": "ncryptify:gemalto:admin:apps:kylo",
  "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
  "createdAt": "2018-04-27T20:56:11.731124Z",
  "name": "aeskey",
  "updatedAt": "2018-04-27T20:56:11.731124Z",
  "usage": "blob",
  "usageMask": 12,
  "meta": {
    "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb"
    },
  "algorithm": "AES",
  "size": 256,
  "format": "raw",
  "unexportable": false,
  "undeletable": false,
  "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0",
  "objectType": "Symmetric Key",
  "activationDate": "2018-04-27T20:56:11.729121Z",
  "state": "Active"
}

  4. Now we'll create a second user, named bob:

    $ ksctl users create -n bob -p bob_password1

    The response looks like:

    {
   "created_at": "2018-04-27T21:10:53.191577Z",
   "email": "",
   "last_login": null,
   "logins_count": 0,
   "name": "bob",
   "nickname": "bob",
   "updated_at": "2018-04-27T21:10:53.191577Z",
   "user_id": "local|c7560d06-3628-4fb0-81e3-5881d2f8d7b3",
   "username": "bob",
   "failed_logins_count": 0,
   "account_lockout_at": null,
   "failed_logins_initial_attempt_at": null,
   "last_failed_login_at": null,
   "password_changed_at": "2018-04-27T21:10:53.192083Z",
   "password_change_required": false
 }

  5. We'll also create a new group eng and put bob in it:

    $ ksctl groups create -i "local|c7560d06-3628-4fb0-81e3-5881d2f8d7b3" -n eng

    The response looks like:

    {
  "name": "eng",
  "created_at": "2018-04-27T21:15:36.644959Z",
  "updated_at": "2018-04-27T21:15:36.644959Z"
}

  6. We will connect as bob and try to read the key. This will fail, since bob has no access to the key.

    $ ksctl –-user bob –-password bob_password1 keys get -n aeskey

    The response looks like:

    {
  "code": 16,
  "codeDesc": "NCERRResourceNotFound: Resource not found"
}

  7. Let us connect as sarah and give the eng group, of which bob is a member, permission to get info about the key.

    Windows

    $ echo {"meta":{"permissions":{"ReadKey":["eng"]}}} > keypermissions.json

    Linux

    $ echo "{\"meta\":{\"permissions\":{\"ReadKey\":[\"eng\"]}}}" > keypermissions.json

    All systems

    $ ksctl –-user sarah –-password sarah_pw1 keys modify -n aeskey -j keypermissions.json

    The response looks like:

    {
  "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868",
  "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU",
  "account": "kylo:kylo:admin:accounts:kylo",
  "application": "ncryptify:gemalto:admin:apps:kylo",
  "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
  "createdAt": "2018-04-27T20:56:11.731124Z",
  "name": "aeskey",
  "updatedAt": "2018-04-27T21:23:05.713305295Z",
  "usage": "blob",
  "usageMask": 12,
  "meta": {
    "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb",
    "permissions": {
      "ReadKey": [
      "eng"
      ]
    }
    },
    "algorithm": "AES",
    "size": 256,
    "format": "raw",
    "unexportable": false,
    "undeletable": false,
    "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0",
    "objectType": "Symmetric Key",
    "activationDate": "2018-04-27T20:56:11.729121Z",
    "state": "Active"
}

  8. Now bob is able to get info about the key.

    $ ksctl –user bob –password bob_password1 keys get -n aeskey

    The response looks like:

    {
  "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868",
  "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU",
  "account": "kylo:kylo:admin:accounts:kylo",
  "application": "ncryptify:gemalto:admin:apps:kylo",
  "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
  "createdAt": "2018-04-27T20:56:11.731124Z",
  "name": "aeskey",
  "updatedAt": "2018-04-27T21:24:29.898123Z",
  "usage": "blob",
  "usageMask": 12,
  "meta": {
    "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb",
    "permissions": {
      "ReadKey": [
      "eng"
      ]
    }
  },
  "algorithm": "AES",
  "size": 256,
  "format": "raw",
  "unexportable": false,
  "undeletable": false,
  "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0",
  "objectType": "Symmetric Key",
  "activationDate": "2018-04-27T20:56:11.729121Z",
  "state": "Active"
}

On this page