CLI roles interface

[pwalczysko]

The work on Roles in OMERO 5.4.x series is giving the ability to create administrators with restricted privileges. On client side, this is mainly achieved using Web client.

On CLI, which is the topic of this issue, the questions arise about how to pass the 9 paramenters which can be seen in WebUI checkboxes through the command line.

The "landscape" of existing commands concering addition of new users on CLI is:

omero user -a add username firstname lastname [group [group ...]]

which will add the new user as an administrator.
The demand is to have the 9 parameters passed as false or true (with some defaults ?, as flags ?, as input questions later ?, with summary options ?, using a csv file ?)

Comments and guidelines most welcome.

See https://trello.com/c/iZeXX5FD/6-manage-admin-privileges-from-cli.

@mtbc @jburel @joshmoore @kennethgillen @will-moore @sbesson

[manics]

An example from the PostgreSQL createuser command:

$ createuser --help
  ...
  -d, --createdb            role can create new databases
  -D, --no-createdb         role cannot create databases (default)
  -i, --inherit             role inherits privileges of roles it is a member of (default)
  -I, --no-inherit          role does not inherit privileges
  -l, --login               role can login (default)
  -L, --no-login            role cannot login
  -r, --createrole          role can create new roles
  -R, --no-createrole       role cannot create roles (default)
  -s, --superuser           role will be superuser
  -S, --no-superuser        role will not be superuser (default)
  --replication             role can initiate replication
  --no-replication          role cannot initiate replication
  ...

Maybe something similar would work, though perhaps without the short (single-letter) options to avoid confusion- if there are a lot of options it's difficult to know what the single-letter options do.

[joshmoore]

The createuser model is certainly one that users of the CLI for administering OMERO & Postgres are likely to be familiar with. If we stick with the strings from https://github.com/openmicroscopy/openmicroscopy/blob/develop/components/model/resources/mappings/meta.ome.xml#L180 mapping "ModifyUser" to "modifyuser" (assuming we'll never only vary in capitalization) then some possible examples include:

• bin/omero user add = regular user
• bin/omero user add --admin = full admin
• bin/omero user add --modifyuser = light admin (implies --admin)
• bin/omero user add --no-modifyuser = light admin (also implies --admin)
• bin/omero user add --admin --no-sudo is also ok

[sbesson]

I would second @manics's thoughts about long options i.e. --<action>/--no-<action>. The main immediate issue in terms of names is that --sudo is already defined as a login argument so this could be turned into --can-<action>/--cannot-<action> if needed.

Also, assuming an user is created but the light admin permissions need to be modified, would we need a specific command to change the set of permissions or would it be down to obj update?