Add Roles to User via PachCTL

Before You Start

Tip

You can check your current roles and permissions on a given project by running the following:

pachctl auth check project <project-name>
Roles: [projectOwner]
Permissions: [REPO_READ REPO_INSPECT_COMMIT REPO_LIST_COMMIT REPO_LIST_BRANCH REPO_LIST_FILE REPO_INSPECT_FILE REPO_ADD_PIPELINE_READER REPO_REMOVE_PIPELINE_READER PIPELINE_LIST_JOB REPO_WRITE REPO_DELETE_COMMIT REPO_CREATE_BRANCH REPO_DELETE_BRANCH REPO_ADD_PIPELINE_WRITER REPO_MODIFY_BINDINGS REPO_DELETE PROJECT_LIST_REPO PROJECT_CREATE_REPO PROJECT_DELETE PROJECT_MODIFY_BINDINGS]

How to Assign Roles to a User

As Root Admin

This guide assumes resources (projects, repositories) have already been created in your cluster.

Note
You can skip steps 2 and 3 if you are using the MockIdP connector and just want to explore/practice, as you are already logged in as the admin user. Even though you can assign permissions to new users in MockIdP, you cannot log in as them.
  1. Open your terminal.

  2. Connect as the root user using the following command:

    pachctl auth use-auth-token
  3. Input your root token. If you did not initially set a pachd.rootToken or pachd.rootTokenSecretName in your Helm values.yaml configuration, the root token is autogenerated as a Kubernetes secret named pachyderm-auth that can be decoded and read using the following command:

    kubectl get secret pachyderm-auth -o jsonpath="{.data.root-token}" | base64 --decode
  4. Verify you are connected as the root user by running the following command:

    pachctl auth whoami
    You are "pach:root"
  5. Run one of the following commands to assign a role:

    Admin Roles Project Roles Repo Roles Misc Roles
    clusterAdmin projectViewer repoReader debugger
    oidcAppAdmin projectWriter repoWriter robotUser
    idpAdmin projectOwner repoOwner pachdLogReader
    secretAdmin projectCreator
    identityAdmin
    licenseAdmin
  6. Confirm access by running the following command:

You can also use these steps to update a users permissions.

As Project Owner

  1. Open your terminal.

  2. Log in.

    pachctl auth login
  3. Add a user and assign their role to a project that you own.

  4. Confirm access by running the following command: