User¶
A User represents an API user of Digital Rebar Provision. Users are the identity objects that authenticate callers and, together with Roles, determine what those callers are authorized to do.
Authentication is password-based. The password is stored as an scrypt hash
in the PasswordHash field and is never returned by the API. A newly
created User has no password set, meaning it cannot authenticate directly
but can still be used through pre-constructed tokens. Use drpcli users
password <name> <pass> or the API to set a password.
Each User carries a Secret field that is incorporated into token
generation. Changing the Secret immediately invalidates all existing
tokens issued to or by that user, providing a revocation mechanism.
The Secret is automatically rotated whenever the password changes.
The Roles list references Role objects by name.
The union of all Claims from those Roles determines the User's effective
permissions. In addition to explicit Roles, every User implicitly receives
a claim that allows it to retrieve its own record, change its own password,
and obtain a token for itself.
Users may belong to one or more Tenants, which restrict object visibility before Role checks are applied. Users can also authenticate through external IdentityProviders using SAML SSO, in which case Roles are assigned via group mapping.
| Field | Definition |
|---|---|
| Description | Description is a string for providing a simple description |
| Meta | Meta contains the meta data of the object. The type of this field is a key / value map/dictionary. The key type is string. The value type is also string. The general content of the field is undefined and can be an arbritary store. There are some common known keys: color - The color the UX uses when displaying icon - The icon the UX uses when displaying * title - The UX uses this for additional display information. Often the source of the object. Specific Object types use additional meta data fields. These are described at: https://docs.rackn.io/stable/redirect/?ref=rs_object_metadata |
| Name | Name is the name of the user required: true |
| PasswordHash | PasswordHash is the scrypt-hashed version of the user's Password. swagger:strfmt byte |
| Roles | Roles is a list of Roles this User has. |
| Secret | Token secret - this is used when generating user token's to allow for revocation by the grantor or the grantee. Changing this will invalidate all existing tokens that have this user as a user or a grantor. |
In addition to the roles asigned to the user, all users also get a claim that allows them to get themself, change their passwords, and get a token for themselves.