pureadmin, pureadmin-create, pureadmin-delete, pureadmin-list, pureadmin-refresh, pureadmin-setattr — management of administrative accounts
pureadmin create --api-token [
pureadmin delete --api-token [
pureadmin global list
pureadmin global setattr --min-password-length
pureadmin list --api-token [ --cli | --csv | --nvp ] [--expose] [--notitle] [--page] --publickey [
pureadmin refresh [--clear] [
pureadmin setattr [--password] [--publickey] [
User Logon Name. Sometimes referred to as sAMAccountName.
- -h | --help
Can be used with any command or subcommand to display a brief syntax description.
Displays a list of users that have REST API access and the dates in which the API tokens were created.
Indicates a request to completely clear the user permission cache.
Indicates a request to display an unmasked API token.
Displays or sets a global minimum character limit for local account passwords. New passwords must be at least
LENGTHcharacters long to be accepted. The minimum password length must be greater than 0 characters. Empty passwords are not allowed. The default value is 1 character. Minimum password length changes do not apply to existing passwords.
Indicates a request to change the password for the pureuser administrative account.
Indicates a request to change the public key for SSH access or display if a public key is configured for the provided user(s). Only array administrators can change public keys on behalf of other users. If no users are provided as arguments, a request to change the public key will be for the admin issuing the request and a request to display set public keys will show all users with a public key configured.
Options that control display format:
Displays output in the form of CLI commands that can be issued to reproduce the current configuration. The
--clioutput is not meaningful when combined with immutable attributes.
Lists information in comma-separated value (CSV) format. The
--csvoutput can be used for scripting purposes and imported into spreadsheet programs.
Lists information without column titles.
Lists information in name-value pair (NVP) format, in the form
ITEMNAME=VALUE. Argument names and information items are displayed flush left. The
--nvpoutput is designed both for convenient viewing of what might otherwise be wide listings, and for parsing individual items for scripting purposes.
Turns on interactive paging.
Displays the unformatted version of column titles and data. For example, in the
purearray monitoroutput, the unformatted version of column title
--rawoutput is used to sort and filter list results.
The current Purity release comes with a single local administrative account named pureuser. The account is password-protected, and may alternatively be accessed using a public-private key pair. Additional administrative accounts can be enabled by integrating the FlashArray with an existing directory service, such as Microsoft Active Directory, using the pureds command (see pureds(1)). Password management for directory service enabled accounts is done in the directory, however configuring public keys is supported.
The pureadmin create and pureadmin delete commands manage REST API tokens, which grant access to the REST API. API tokens are tied to a particular administrative account. All administrators have permission to manage their own API tokens.
The pureadmin global command displays and changes global administrative account configuration. pureadmin global setattr can be used to configure the --min-password-length attribute that applies to all local account password change requests. pureadmin global list displays the global configuration.
The pureadmin list command displays current FlashArray configuration pertaining to administrative accounts. The --api-token determines which users have REST API access. Combining this option with --expose unmasks the current user's API token. The --publickey option determines which users have public key access configured. Account information for directory service enabled accounts that is not FlashArray specific, such as group membership or password policy, should be managed in the directory.
Directory service enabled accounts are also subject to role-based access control. The permission level of a user is correlated with the configured directory group(s) the user is a member of. To prevent binding and querying the directory server too frequently, permissions are cached on the array. Cache entries for particular users can be refreshed on demand using the refresh subcommand. Cache entries are also automatically updated for a user when starting a new session.
The --clear option empties the entire permissions cache, for all users. After the pureadmin refresh --clear command, the first action by each user causes a query to the directory service, both to confirm that the user has permission for that action and to refresh that user's permission cache entry. These queries to the directory service eventually refresh the permission cache entries for all active users.
The pureadmin setattr subcommand elicits subsidiary prompts for attribute values rather than parsing values entered on the command line:
The --password option is used to change the password for the single, local administrative account: pureuser. The CLI prompts for the "old" password and a new password twice, once for initial entry of the new password and again for confirmation. If the old password is verified and the responses to the two prompts are identical, the password is changed immediately. Passwords may be at most 100 characters in length and may include any character that can be entered from a US keyboard. The minimum password length is configurable via the purearray command (see purearray(1)).
When the --publickey option is specified, the CLI prompts for a new public key. A new public key is typically entered by copying a value from a key generation application running in a local window on the administrative workstation and pasting it into the administrative session window. Each public key must correspond to a private key in the account from which a session is being conducted. Public key access can be configured for both the local administrative pureuser account or for any administrative account enable through directory services.
pureadmin setattr --password pureuser
Indicates a request to change the password for the pureuser administrative account. Elicits a prompt for the "old" (current) password and two prompts for the new password (entry and confirmation).
pureadmin setattr --publickey
Indicates a request to change the public key for the workstation account from which the session is being conducted. Elicits a prompt for a new public key, which would typically be copied from a key generation tool running in a local window on the administrative workstation.
pureadmin list --publickey
List the current administrative accounts for which SSH key access has been configured.
pureadmin refresh --clear
Clears the contents of the user permission cache.
pureadmin create --api-token pureuser
Creates an API token for the pureuser administrative account to grant REST API access.
Pure Storage Inc.