IBM Streams 4.3.0

streamtool lsacl

The streamtool lsacl command lists all of the security objects and the associated access control lists (ACL) in the IBM® Streams instance.

Usage


lsacl

>>-+-----------------------+--+-------------+------------------->
   '-+- -d----------+--did-'  '-+- -h-----+-'   
     '- --domain-id-'           '- --help-'     

>--+-------------------------+--+-----------------+------------->
   '-+- -i------------+--iid-'  '- --trace--level-'   
     '- --instance-id-'                               

>--+-------------------+--+-----------------------+------------->
   '-+- -U-----+--user-'  '-+- -v--------+--level-'   
     '- --User-'            '- --verbose-'            

>--| Non-interactive tool options |----------------------------><

Non-interactive tool options

    (1)                                    
|--------+-----------------------------+------------------------|
         +- --embeddedzk---------------+   
         |               .-,---------. |   
         |               V           | |   
         '- --zkconnect----host:port-+-'

Notes:

The non-interactive tool options are not supported in the interactive streamtool interface.

Authority

You must have write authority for the config instance object. By default, the DomainAdministrator and InstanceAdministrator roles have this authority. For more information about access control lists, see streamtool getacl.

Description

IBM Streams uses ACLs to enforce security. An ACL is composed of the type of instance object to secure and the actions that a group or user is authorized to perform against the object.

IBM Streams objects are hierarchical in nature, in that some objects are included by other objects. For example, a jobs object can include multiple job-id objects for each job that is running in the system. These relationships are sometimes referred to as parent and child relationships between the objects.

The streamtool lsacl command returns information about the parent, owner, persistence, and access permissions for each instance object. You can retrieve the same information by running the streamtool getacl command for each instance object.

If the command output indicates that the object is persistent, it means that changes to this object, for example changes to its permissions, are recorded in the instance security configuration. Thus the changes persist even after the instance is stopped and restarted.

For more information, see Security objects and access permissions for IBM Streams domains and instances.

Options and arguments

-d, --domain-id did

Specifies the domain identifier.
If you do not specify this option, IBM Streams uses the domain name that is set in the STREAMS_DOMAIN_ID environment variable. By default, that domain name is StreamsDomain. If you are using the interactive streamtool interface, it uses the name of the active domain for the current streamtool session or else it prompts you for the domain name.

The active domain for the current streamtool session is set every time that you successfully run a streamtool command with a -d or --domain-id option. Alternatively, you can run the streamtool domain command in the interactive interface.

--embeddedzk

Specifies to use the embedded copy of ZooKeeper. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify either this option or the --zkconnect option, IBM Streams uses the ZooKeeper connection that is associated with the active domain or the domain that is specified in the --domain-id option. IBM Streams determines which connection maps to the domain by using cached information about the domains. In this scenario, if the domain identifier is not unique in the IBM Streams configuration cache, the command fails.

-h, --help

Specifies to show the command syntax.

-i, --instance-id iid

Specifies the instance identifier.
If you do not specify this option, IBM Streams uses the instance identifier that is set in the STREAMS_INSTANCE_ID environment variable. By default, that instance identifier is StreamsInstance. If you are using the interactive streamtool interface, it tries to use an instance ID that you specified in a previous command. If no such value is found, the command uses the STREAMS_INSTANCE_ID environment variable. Alternatively, you can run the streamtool instance command in the interactive interface.

--trace level

Specifies the trace setting. The following valid levels are listed in order of increasing verbosity, which is to say that the first level in the list generates the least amount of information:
off

error

warn

info

debug

trace

The default value is off.

-U, --User userid

Specifies an IBM Streams user ID that has authority to run the command.

-v,--verbose level

Specifies to provide more detailed command output. The verbosity level can be 0-3, where 0 disables detailed reporting and each increment provides more detailed output.

--zkconnect host:port

The name of one or more host and port pairs that specify the configured ZooKeeper servers. This option is not supported within the interactive streamtool interface.

If you are not using the interactive streamtool interface and you do not specify this option, IBM Streams tries to use:
The --embeddedzk option

The value from the STREAMS_ZKCONNECT environment variable

A ZooKeeper connection string that is derived from cached information about the current domain.

Examples

The following command returns the access control lists for the objects within the "StreamsInstance" instance:

[streamtool <bsmith@StreamsDomain.StreamsInstance>] lsacl
...
# object: jobs
# parent: instance
# owner: nobody
# persistent: yes
user:bsmith:--sa-o
role:InstanceUser:--sa--
role:DomainAdministrator:--sa-o
default:user:owner:rwsado
default:user:bsmith:rwsado
default:user:InstanceUser:r-sa--
default:role:DomainAdministrator:rwsado
default:role:InstanceAdministrator:rwsado
# object: jobs-override
# parent:instance
# owner: nobody
# persistent: yes
user: bsmith:---a-o
...