Example CLI User Set Up
The following example will create a non-admin user named sarah and create a key. sarah will own the key and will be able to do things with it.
We will create a second user, named bob, and show he does not have access to sarah's key.
Next, we will add bob to a group. sarah will add a permission to the key, granting members of the group some permissions to the key. We'll then show that bob now has these permissions.
You can try these steps using the API playground, curl, or by using the CLI commands.
This exercise assumes that the user has already installed the CLI tool (ksctl
) and has created a config.yaml
file that is specific to their installation. Note that we will use the built-in user in some cases and override them in others. Any command without user/password credentials is using the built-in (admin) user.
-
Create a new user called sarah.
$ ksctl users create -n sarah -p Sarah_pw1
The response to the create user command is a user resource that looks like:
{ "created_at": "2018-04-27T21:10:53.191577Z", "email": "", "last_login": null, "logins_count": 0, "name": "bob", "nickname": "bob", "updated_at": "2018-04-27T21:10:53.191577Z", "user_id": " local|0c617800-58f0-4cf9-85bd-8d75037d8bfb", "username": "sarah", "failed_logins_count": 0, "account_lockout_at": null, "failed_logins_initial_attempt_at": null, "last_failed_login_at": null, "password_changed_at": "2018-04-27T21:10:53.192083Z", "password_change_required": false }
-
Now create an AES key, which will be owned by sarah.
We'll need to create a file containing the attributes of the key we want to create, then pass that file to the CLI tool:
Windows
$ echo {"name":"aeskey"} > keyparams.json
Linux
$ echo "{\"name\":\"aeskey\"}" > keyparams.json
All systems
$ ksctl –-user sarah –-password sarah_pw1 keys create -j keyparams.json
The response to the create key command is a key resource that looks like:
{ "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868", "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2018-04-27T20:56:11.731123593Z", "name": "aeskey", "updatedAt": "2018-04-27T20:56:11.731123593Z", "usage": "blob", "usageMask": 12, "meta": { "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb" }, "algorithm": "AES", "size": 256, "format": "raw", "unexportable": false, "undeletable": false, "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0", "objectType": "Symmetric Key", "activationDate": "2018-04-27T20:56:11.729121368Z", "state": "Active" }
-
sarah is the owner of the key, which grants her permission to read the key:
$ ksctl keys get -n aeskey
The response looks like:
{ "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868", "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2018-04-27T20:56:11.731124Z", "name": "aeskey", "updatedAt": "2018-04-27T20:56:11.731124Z", "usage": "blob", "usageMask": 12, "meta": { "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb" }, "algorithm": "AES", "size": 256, "format": "raw", "unexportable": false, "undeletable": false, "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0", "objectType": "Symmetric Key", "activationDate": "2018-04-27T20:56:11.729121Z", "state": "Active" }
-
Now we'll create a second user, named bob:
$ ksctl users create -n bob -p bob_password1
The response looks like:
{ "created_at": "2018-04-27T21:10:53.191577Z", "email": "", "last_login": null, "logins_count": 0, "name": "bob", "nickname": "bob", "updated_at": "2018-04-27T21:10:53.191577Z", "user_id": "local|c7560d06-3628-4fb0-81e3-5881d2f8d7b3", "username": "bob", "failed_logins_count": 0, "account_lockout_at": null, "failed_logins_initial_attempt_at": null, "last_failed_login_at": null, "password_changed_at": "2018-04-27T21:10:53.192083Z", "password_change_required": false }
-
We'll also create a new group eng and put bob in it:
$ ksctl groups create -i "local|c7560d06-3628-4fb0-81e3-5881d2f8d7b3" -n eng
The response looks like:
{ "name": "eng", "created_at": "2018-04-27T21:15:36.644959Z", "updated_at": "2018-04-27T21:15:36.644959Z" }
-
We will connect as bob and try to read the key. This will fail, since bob has no access to the key.
$ ksctl –-user bob –-password bob_password1 keys get -n aeskey
The response looks like:
{ "code": 16, "codeDesc": "NCERRResourceNotFound: Resource not found" }
-
Let us connect as sarah and give the eng group, of which bob is a member, permission to get info about the key.
Windows
$ echo {"meta":{"permissions":{"ReadKey":["eng"]}}} > keypermissions.json
Linux
$ echo "{\"meta\":{\"permissions\":{\"ReadKey\":[\"eng\"]}}}" > keypermissions.json
All systems
$ ksctl –-user sarah –-password sarah_pw1 keys modify -n aeskey -j keypermissions.json
The response looks like:
{ "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868", "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2018-04-27T20:56:11.731124Z", "name": "aeskey", "updatedAt": "2018-04-27T21:23:05.713305295Z", "usage": "blob", "usageMask": 12, "meta": { "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb", "permissions": { "ReadKey": [ "eng" ] } }, "algorithm": "AES", "size": 256, "format": "raw", "unexportable": false, "undeletable": false, "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0", "objectType": "Symmetric Key", "activationDate": "2018-04-27T20:56:11.729121Z", "state": "Active" }
-
Now bob is able to get info about the key.
$ ksctl –user bob –password bob_password1 keys get -n aeskey
The response looks like:
{ "id": "cf8c8c215e8077e11a7af5304fe77082791af13e3906d52ba7237eb6fd2df868", "uri": "kylo:kylo:vault:keys:aeskey-v0-HEU", "account": "kylo:kylo:admin:accounts:kylo", "application": "ncryptify:gemalto:admin:apps:kylo", "devAccount": "ncryptify:gemalto:admin:accounts:gemalto", "createdAt": "2018-04-27T20:56:11.731124Z", "name": "aeskey", "updatedAt": "2018-04-27T21:24:29.898123Z", "usage": "blob", "usageMask": 12, "meta": { "ownerId": "local|0c617800-58f0-4cf9-85bd-8d75037d8bfb", "permissions": { "ReadKey": [ "eng" ] } }, "algorithm": "AES", "size": 256, "format": "raw", "unexportable": false, "undeletable": false, "defaultIV": "5bec41b53dd4a64aa25d64c175b05fb0", "objectType": "Symmetric Key", "activationDate": "2018-04-27T20:56:11.729121Z", "state": "Active" }