User¶
DRP Users are the API-level accounts that authenticate to the endpoint. Each user has a name, a
hashed password, one or more assigned Roles, and an internal secret used for token revocation. DRP
ships with a default rocketskates superuser — change its password immediately after installation.
Creating Users¶
# Create a new user
drpcli users create '{"Name": "alice", "Roles": ["machine-operator"]}'
# Set the user's password
drpcli users password alice 'new-secure-password'
Through the portal, navigate to Users, click Add, enter the name and initial password, and assign roles before saving.
Assigning Roles¶
A user may hold multiple roles. Their effective permissions are the union of all granted role claims. Assign roles at creation time or update them later:
# Add a role to an existing user
drpcli users update Name:alice '{"Roles": ["machine-operator", "machine-reader"]}'
See Role for how to create and manage roles.
Password Management¶
DRP stores passwords as scrypt hashes — plaintext passwords are never stored. Changing a user's
password automatically rotates their internal Secret, invalidating all previously issued tokens
for that user.
For the default rocketskates account:
Token-Based Authentication¶
Rather than using username/password credentials for every API call, DRP supports generating short-lived bearer tokens. Tokens are scoped to the claims of the issuing user and can be further restricted to a specific object or action subset.
# Generate a token valid for 1 hour
drpcli users token alice ttl 1h
# Generate a machine-scoped token
drpcli users token alice scope machines specific machine-uuid-1 action get,list
Tokens are revoked when the user's Secret changes (i.e., when their password is reset) or when
an administrator explicitly changes the secret. All tokens issued before the secret rotation become
invalid.
Listing and Removing Users¶
DRP sanitizes the PasswordHash field from API responses — it is never returned in plaintext to
clients. The Secret field is also omitted from list and get responses.