Skip to main content
Pure1 Support Portal

pureadmin

Name

pureadmin, pureadmin-create, pureadmin-delete, pureadmin-list, pureadmin-refresh, pureadmin-setattr — management of administrative accounts

Synopsis

pureadmin create --api-token [USER...]

pureadmin delete --api-token [USER...]

pureadmin global list

pureadmin global setattr --min-password-length LENGTH

pureadmin list --api-token [ --cli | --csv | --nvp ] [--expose] [--notitle] [--page] --publickey [USER...] [--raw]

pureadmin refresh [--clear] [USER...]

pureadmin setattr [--password] [--publickey] [USER...]

Arguments

USER

User Logon Name. Sometimes referred to as sAMAccountName.

Options

-h | --help

Can be used with any command or subcommand to display a brief syntax description.

--api-token

Displays a list of users that have REST API access and the dates in which the API tokens were created.

--clear

Indicates a request to completely clear the user permission cache.

--expose

Indicates a request to display an unmasked API token.

--min-password-length LENGTH

Displays or sets a global minimum character limit for local account passwords. New passwords must be at least LENGTH characters long to be accepted. The minimum password length must be greater than 0 characters. Empty passwords are not allowed. The default value is 1 character. Minimum password length changes do not apply to existing passwords.

--password

Indicates a request to change the password for the pureuser administrative account.

--publickey

Indicates a request to change the public key for SSH access or display if a public key is configured for the provided user(s). Only array administrators can change public keys on behalf of other users. If no users are provided as arguments, a request to change the public key will be for the admin issuing the request and a request to display set public keys will show all users with a public key configured.

Options that control display format:

--cli

Displays output in the form of CLI commands that can be issued to reproduce the current configuration. The --cli output is not meaningful when combined with immutable attributes.

--csv

Lists information in comma-separated value (CSV) format. The --csv output can be used for scripting purposes and imported into spreadsheet programs.

--notitle

Lists information without column titles.

--nvp

Lists information in name-value pair (NVP) format, in the form ITEMNAME=VALUE. Argument names and information items are displayed flush left. The --nvp output is designed both for convenient viewing of what might otherwise be wide listings, and for parsing individual items for scripting purposes.

--page

Turns on interactive paging.

--raw

Displays the unformatted version of column titles and data. For example, in the purearray monitor output, the unformatted version of column title us/op (read) is usec_per_read_op. The --raw output is used to sort and filter list results.

Description

The current Purity release comes with a single local administrative account named pureuser. The account is password-protected, and may alternatively be accessed using a public-private key pair. Additional administrative accounts can be enabled by integrating the FlashArray with an existing directory service, such as Microsoft Active Directory, using the pureds command (see pureds(1)). Password management for directory service enabled accounts is done in the directory, however configuring public keys is supported.

The pureadmin create and pureadmin delete commands manage REST API tokens, which grant access to the REST API. API tokens are tied to a particular administrative account. All administrators have permission to manage their own API tokens.

The pureadmin global command displays and changes global administrative account configuration. pureadmin global setattr can be used to configure the --min-password-length attribute that applies to all local account password change requests. pureadmin global list displays the global configuration.

The pureadmin list command displays current FlashArray configuration pertaining to administrative accounts. The --api-token determines which users have REST API access. Combining this option with --expose unmasks the current user's API token. The --publickey option determines which users have public key access configured. Account information for directory service enabled accounts that is not FlashArray specific, such as group membership or password policy, should be managed in the directory.

Directory service enabled accounts are also subject to role-based access control. The permission level of a user is correlated with the configured directory group(s) the user is a member of. To prevent binding and querying the directory server too frequently, permissions are cached on the array. Cache entries for particular users can be refreshed on demand using the refresh subcommand. Cache entries are also automatically updated for a user when starting a new session.

The --clear option empties the entire permissions cache, for all users. After the pureadmin refresh --clear command, the first action by each user causes a query to the directory service, both to confirm that the user has permission for that action and to refresh that user's permission cache entry. These queries to the directory service eventually refresh the permission cache entries for all active users.

The pureadmin setattr subcommand elicits subsidiary prompts for attribute values rather than parsing values entered on the command line:

--password

The --password option is used to change the password for the single, local administrative account: pureuser. The CLI prompts for the "old" password and a new password twice, once for initial entry of the new password and again for confirmation. If the old password is verified and the responses to the two prompts are identical, the password is changed immediately. Passwords may be at most 100 characters in length and may include any character that can be entered from a US keyboard. The minimum password length is configurable via the purearray command (see purearray(1)).

--publickey

When the --publickey option is specified, the CLI prompts for a new public key. A new public key is typically entered by copying a value from a key generation application running in a local window on the administrative workstation and pasting it into the administrative session window. Each public key must correspond to a private key in the account from which a session is being conducted. Public key access can be configured for both the local administrative pureuser account or for any administrative account enable through directory services.

Exceptions

None.

Examples

Example 1

pureadmin setattr --password pureuser
      

Indicates a request to change the password for the pureuser administrative account. Elicits a prompt for the "old" (current) password and two prompts for the new password (entry and confirmation).

Example 2

pureadmin setattr --publickey
      

Indicates a request to change the public key for the workstation account from which the session is being conducted. Elicits a prompt for a new public key, which would typically be copied from a key generation tool running in a local window on the administrative workstation.

Example 3

pureadmin list --publickey
      

List the current administrative accounts for which SSH key access has been configured.

Example 4

pureadmin refresh --clear
      

Clears the contents of the user permission cache.

Example 5

pureadmin create --api-token pureuser
      

Creates an API token for the pureuser administrative account to grant REST API access.

See Also

pureds(1)

Author

Pure Storage Inc.