CLI for user management

[exalate-issue-sync]

Story

As an admin I want to be able to disable / enable a user, so that only enabled users have access to ownCloud.

DoD

• rewrite without api usage and 'ocis login' => create follow-up
• List users to choose te right ID
  • bin/ocis-accounts list
• Enable / Disable users
  • Enable bin/ocis-accounts update --enabled u-u-i-d
  • Disable bin/ocis-accounts update --enabled=false u-u-i-d
• Disabled users should not be able to log in
• Integrate in to ocis full-binary
• Show it tested and deployed
• Develop Strategy for Testing, API needs tests, command optional

[exalate-issue-sync]

Remote key is https://jira.owncloud.com/browse/OCIS-276

[exalate-issue-sync]

Ilja Neumann commented: Concept:

Integrate as a sub-command for ocis accounts:

• ocis accounts add
• ocis accounts list
• ocis accounts show
• ocis accounts enable
• ocis accounts disable

Command should work remotely. Admin should be able to put the ocis binary on his machine and use that as a client.

To achive this an "ocis login" command is required which asks for username/password and the address of the proxy. With this information an token is minted and stored in the environment-variable or user-home. This token can then be used to authenticate subsequent cli-calls.

Open Questions:

• How does the cli-command know where the accounts service is running i.e where the accounts grpc api is?

• Could the cli command query the service-registry? How?

• Is micro-gateway requiered for this? MDNS probably won't reach to admins machine?

• AFAIK it is not possible to proxy grpc via ocis-proxy?

All this problems could be (temporarily) circumvented if the admin has to provide the address to the accounts service on every invocation or in an environmet variable. Is this an UX we can live with for the MVP? Drawback is that the accounts service needs to be reachable from admins machine (Firewall?)

[IljaN]

Decission for now: Use micro service-discovery to discover accounts service. This has the drawback that the commands need to be executed in the service-mesh's network as we don't have a central api-gateway for now.

[IljaN]

• Integrate in to ocis (added to top-post) ->Integrate account-management cli-commands ocis#462

[exalate-issue-sync]

Felix Boehm commented: reopening and clarification:

• a cli client is not scope of current planning
• as a sysadmin I have access via ssh on my instance and want to run a command 'ocis accounts add ...' to create a user without any further need to authenticate or authorize (permissions ignored), so that I never run into a locked situation (no one has permission to create a user)

'ocis login' not the way to go on cli