Local User Management Example

This example describes how to manage local users for silos that use local_only for authentication.

Note

The Oxide Console doesn’t support local user creation and deletion at this time, so you must use the Oxide CLI or API to manage local users. The CLI commands shown below assume you have already installed the Oxide CLI and configured it to connect to your Oxide fleet.

Creating the First User

To create the first user in the silo, you’ll need to update and execute the following commands using the Oxide CLI. Replace $SILO_NAME, $loginName, and $passwordValue with your desired values.

oxide silo idp local user create --silo $SILO_NAME --json-body user.json

The user.json file should look like this:

{
  "external_id": "$loginName",
  "password": {
    "mode": "password",
    "value": "$passwordValue"
  }
}

Assign Administrator Role

Once the user is created, you’ll need to assign the administrator role to the user so that they can manage the silo and its resources. At least one user must have the administrator role to manage the silo, but there is no limit to the number of users that can have this role.

To do this, you’ll need to create a policy file that specifies the role assignments for the user. The policy file should be in JSON format and include the user ID of the user you just created. You can use the oxide silo idp local user list command to retrieve the user ID of the user you just created. The user ID will be in the format of a UUID, for example: $userUuid="123e4567-e89b-12d3-a456-426614174000".

Having created a policy.json file with the user ID you retrieved earlier, it should now look like this:

{
  "role_assignments": [{
    "identity_id": "$userUuid",
    "identity_type": "silo_user",
    "role_name": "admin"
  }]
}

With that done, you can update the silo policy with the following command, replacing $SILO_NAME with the name of your silo.

oxide silo policy update --silo $SILO_NAME --json-body policy.json

At this point, the created user will have administrator access to the silo, allowing them to manage the new silo and its resources, including creating and managing users.

Subsequent User Creation

In order to create additional local users, you can use the same oxide silo idp local user create command as above, but you will need to create a new user.json file for each user. The external_id field should be unique for each user, and you can set the password field to the desired password for the user.

Assign Additional Roles

You can assign these users to roles in the same way as the first user, by creating a new policy file for each user or by updating the existing policy file to include the new user. Please see the Resource Management guide for more information on how to manage roles and permissions.

Note

If you want to assign the same user to multiple roles, you can do so by adding multiple entries to the role_assignments array in the policy file.

Grant Fleet-Wide Administrator Access

Once you have added the user to the administrator role, you can now grant the user fleet-wide administrator access if you want them to manage the entire Oxide fleet. Using the same policy.json file you created earlier, this will update the fleet-wide policy to include the user as an administrator.

Note the difference in the command: oxide system policy update instead of oxide silo policy update. This is because the fleet-wide policy is managed at the fleet level, not the silo level.

oxide system policy update --json-body policy.json

With the content of the policy.json file being the same as before:

{
  "role_assignments": [{
    "identity_id": "$userUuid",
    "identity_type": "silo_user",
    "role_name": "admin"
  }]
}