netauth system capability
Manage internal system capabilities
NetAuth makes use of a capabilities based system for internal access control. The capabilities command can add and remove capabilities from entities and groups. The preferred mechanism for access control should always be to gain capabilities by being in a group that has them, rather than having access applied to entities directly. A description of each capability follows:
GLOBAL_ROOT - Confers all other capabilities implicitly. This power is used to bootstrap the server and should be reserved to super administrators that would otherwise be able to obtain this power.
CREATE_ENTITY - Allow the creation of entities.
DESTROY_ENTITY - Allows the destruction of entities.
MODIFY_ENTITY_META - Allows modification of entity metadata.
MODIFY_ENTITY_KEYS - Allows modification of entity public keys. Entities are able to change their own keys without this capability.
CHANGE_ENTITY_SECRET - Allows modification of entity secrets. Entities are able to change their own secrets without this capability.
LOCK_ENTITY - Allows setting an entity lock. Locked entities cannot successfully authenticate, even with a correct secret.
UNLOCK_ENTITY - Allows unlocking an entity.
CREATE_GROUP - Allows creation of groups.
DESTROY_GROUP - Allows destruction of groups.
MODIFY_GROUP_META - Allows the modification of group level metadata. This should generally be assigned in conjunction with.
MODIFY_GROUP_MEMBERS - Allows the modification of group memberships. This capability is not needed if the requesting entity is a member of a groups designated management group.
netauth system capability <identifier> <ADD|DEL> <capability> [flags]
$ netauth system capability example-group add MODIFY_GROUP_META Capability Modified $ netauth system capability --direct demo2 add MODIFY_GROUP_META You are attempting to add a capability directly to an entity. This is discouraged! Capability Modified
--direct Provided identifier is an entity (discouraged) -h, --help help for capability
Options inherited from parent commands
--config string Use an alternate config file --entity string Specify a non-default entity to make requests as --secret string Specify the request secret on the command line
- netauth system - Internal system functions