IBM InfoSphere Streams Version 4.1.1

streamtool lspermission

The streamtool lspermission command lists the permissions that a user, group, or role has for instance security objects.

Usage


lspermission

>>-+-----------------------+--+---------+----------------------->
   '-+- -d----------+--did-'  +- -h-----+   
     '- --domain-id-'         '- --help-'   

>--+-------------------------+--+-----------------+------------->
   '-+- -i------------+--iid-'  '- --trace--level-'   
     '- --instance-id-'                               

>--+---------------------+--+-----------------------+----------->
   '-+- -U-----+--userid-'  '-+- -v--------+--level-'   
     '- --User-'              '- --verbose-'            

>--| Non-interactive tool options |--principal-----------------><

Non-interactive tool options

    (1)                                    
|--------+-----------------------------+------------------------|
         +- --embeddedzk---------------+   
         |               .-,---------. |   
         |               V           | |   
         '- --zkconnect----host:port-+-'

Notes:

The non-interactive tool options are not supported in the interactive streamtool interface.

Authority

You must have write authority for the config instance object. By default, the DomainAdministrator and InstanceAdministrator roles have this authority. For more information about access control lists, see streamtool getacl.

Description

InfoSphere® Streams uses ACLs to enforce security. An ACL is composed of the type of instance object to secure and the actions that a group or user is authorized to perform against the object.

This command returns information about each of the instance security objects and the authority that the principal has for each of those objects. A principal can be a user, group, or role.

If the principal is a user, the command considers the groups and roles that the user belongs to when it calculates the authority that a user has for each security object. Likewise, if the principal is a group, the command also considers the roles that the group belongs to.

You can obtain similar information by running the streamtool lsacl command or by running the streamtool getacl for each instance object, though those commands list the users, groups, and roles separately.

Options and arguments

-d, --domain-id did

Specifies the domain identifier.
If you do not specify this option, InfoSphere Streams uses the domain name that is set in the STREAMS_DOMAIN_ID environment variable. By default, that domain name is StreamsDomain. If you are using the interactive streamtool interface, it uses the name of the active domain for the current streamtool session or else it prompts you for the domain name.

The active domain for the current streamtool session is set every time that you successfully run a streamtool command with a -d or --domain-id option. Alternatively, you can run the streamtool domain command in the interactive interface.

--embeddedzk

Specifies to use the embedded copy of ZooKeeper. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify either this option or the --zkconnect option, InfoSphere Streams uses the ZooKeeper connection that is associated with the active domain or the domain that is specified in the --domain-id option. InfoSphere Streams determines which connection maps to the domain by using cached information about the domains. In this scenario, if the domain identifier is not unique in the InfoSphere Streams configuration cache, the command fails.

-h, --help

Specifies to show the command syntax.

-i, --instance-id iid

Specifies the instance identifier.
If you do not specify this option, InfoSphere Streams uses the instance identifier that is set in the STREAMS_INSTANCE_ID environment variable. By default, that instance identifier is StreamsInstance. If you are using the interactive streamtool interface, it tries to use an instance ID that you specified in a previous command. If no such value is found, the command uses the STREAMS_INSTANCE_ID environment variable. Alternatively, you can run the streamtool instance command in the interactive interface.

principal

Specifies the principal. It must have the format type:name. The type can be u, user, g, group, r, or role. If you do not specify the type, it has a default value of user. The name is the name of a user, group, or role.

--trace level

Specifies the trace setting. The following valid levels are listed in order of increasing verbosity, which is to say that the first level in the list generates the least amount of information:
off

error

warn

info

debug

trace

The default value is off.

-U, --User userid

Specifies an InfoSphere Streams user ID that has authority to run the command.

-v,--verbose level

Specifies to provide more detailed command output. The vebosity level can be from 0 to 3 where each increment provides more detailed output.

--zkconnect host:port

The name of one or more host and port pairs that specify the configured ZooKeeper servers. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify this option, InfoSphere Streams tries to use:
The --embeddedzk option

The value from the STREAMS_ZKCONNECT environment variable

A ZooKeeper connection string that is derived from cached information about the current domain.

Examples

In the following example, the command returns the access control information for the bsmith user in the streams instance:

[streamtool <?@StreamsDomain.StreamsInstance>] lspermission u:bsmith 
application-log:rws--o
config:rwsado
hosts:rwsado
instance:rws-do
jobgroup_default:rwsado
jobgroup_test:rwsado
jobs-override:---a-o
jobs:--sa-o
system-log:rws--o