Host and user Commands about cyberark-conjur-cli HOT 14 CLOSED

@sgnn7 I really like this approach and would like to omit the options whenever possible, but there are commands which require options, like list or init, so the pattern is not always consistent.
Can we use the following general usage? conjur [global options] command [subcommand] [options...] [arguments...]

Here are a few possible use-cases:
conjur whoami - single command only
conjur --version - single global option only
conjur user rotate-api-key joe - command + subcommand + arg
conjur list --kind user --limit 4 - command + 2 options + 2 args (no subcommand for 'list')
conjur variable get secrets/mysecret - command + subcommand + arg

Actually, we can say that whenever we have a subcommand we can omit the use of options.
WDYT?

from cyberark-conjur-cli.

@InbalZilberman Some links on this:

• https://git-scm.com/docs/git-remote - You can see how git here uses the mandatory params as positional args
• A stack overflow question I found on this has a good conversation about it: https://softwareengineering.stackexchange.com/questions/366218/positional-arguments-vs-options-in-a-command-line-interface

from cyberark-conjur-cli.

Changed conjur user change-password to not include -p and be only on logged in user.
Also, added user messages

from cyberark-conjur-cli.

@InbalZilberman @eladkug just a note that the secrets need to meet the following Conjur criteria

Choose a password that includes: 12-128 characters, 2 uppercase letters, 2 lowercase letters, 1 digit and 1 special character"

from cyberark-conjur-cli.

@sharonr78 for conjur user change-password -p new_pass I imagine we will need some sort of Success! Password has been changed response b/c currently in Ruby CLI, there is no such message. Just the following experience:

conjur user update_password sigal@usrsig
Enter the password (it will not be echoed):
Confirm the password:

@InbalZilberman Currently in the Ruby CLI, the -p / --password doesn't work (even though we offer that option in our --help. In the Ruby CLI, regardless if we do or don't the following message is displayed:

Enter the password (it will not be echoed):
Confirm the password:

I imagine we ignore the -p / --password because maybe we require that the user confirm their password twice so maybe it was purposeful?

from cyberark-conjur-cli.

@sharonr78 for conjur user change-password -p new_pass I imagine we will need some sort of Success! Password has been changed response b/c currently in Ruby CLI, there is no such message. Just the following experience:

conjur user update_password sigal@usrsig
Enter the password (it will not be echoed):
Confirm the password:

I totally agree. We should aim to provide such feedback messages whenever possible.
Let's use this message (according to our microcopy's voice and tone): Success! Password was changed

from cyberark-conjur-cli.

@InbalZilberman Following the password change feedback message, we should also have it for key rotation, as it's not enough to show the new key. I suggest to show the output message, like so:
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur host rotate-api-key <host_id>
Success! API key was rotated. New key: 3k7k0vb2sf2emjjcphtx14jfvrbbfn8vm3t79mnz19tk2252dsz9wf

from cyberark-conjur-cli.

If we are really going for a consistent experience in the CLI, we need to stick to the same pattern for all commands:

conjur <action> <option1> <option2> ...

I would also discourage use of optional arguments when the parameter is not optional (e.g. conjur user change-password -p new_pass). Password here is not optional and as such doesn't need a flag and should be a positional arg.

If we do these two things, the more appropriate forms of these commands would look a bit different:

conjur rotate-api-key                             # Rotates own key
conjur rotate-api-key host <host_id>             # Rotates a host's key
conjur rotate-api-key user <host_id>              # Rotates a user's key
conjur update-password                            # Updates own password
conjur update-password user <username> <password> # Update user's password

from cyberark-conjur-cli.

I like this approach. In my mind options (--) are for consolidating information and screening out the information you don't need. I think the best example of this would be with list where we have the option to add restrict or throw out the information we don't need.
For example with list --limit 4, we are screening out all the noise and just want 4 entries to be returned

In short, I think options should be reserved for screening out info and not providing info (like secret for example)

from cyberark-conjur-cli.

@sgnn7 I do like
conjur rotate-api-key # Rotates own key
But i think we can change
conjur rotate-api-key host <host_id>
into one simple
conjur rotate-api-key <resource_id>
WDYT?

Yet for update-password this option makes a lot of sense
conjur update-password # Updates own password
but this one
conjur update-password user <username> <password> # Update user's password
not so much :(
The sentence is broken I do think
conjur update-password -u <user> -p <password> # Update user's password
is clearer. WDYT?

from cyberark-conjur-cli.

@InbalZilberman The problem with conjur update-password -u <user> -p <password> is that it implies that both values are optional and unconnected to each other to where something like this might be allowed: conjur update-password -u <user>. By using positional arguments (conjur update-password alice "alicepassword"), you ensure that when a user is specified, you must also have a password associated with it.

from cyberark-conjur-cli.

into one simple
conjur rotate-api-key <resource_id>
WDYT?

I like this idea but we need to understand the kind somehow since our REST looks like: /authn/{account}/api_key?role={kind}:{identifier}

conjur update-password user <username> <password>

@InbalZilberman where do you see the ability to update-password for other users? In our REST API for changing passwords I don't see the option of updating another user's password but the current logged-in one. See here

From my understanding you can only rotate_api_key on yourself and on someone else but changing the password can only be yours and not someone else's

from cyberark-conjur-cli.

@InbalZilberman please see my comments below:

1. Link to host command help: https://ljfz3b.axshare.com/#id=wsk7ud&p=conjur_help__host&g=1
2. Link to user command help: https://ljfz3b.axshare.com/#id=mzfbsw&p=conjur_help__user&g=1
3. Examples of both commands:

conjur user rotate-api-key (rotates the API key for the logged-in user)
conjur user rotate-api-key admin (rotates the API key for the admin user)

conjur user change-password Myp@ssw0rd! (changes the password for the logged-in user to Myp@ssw0rd!)
conjur host rotate-api-key <host_id> (rotates the API key for <host_id>)

An example of success messages:
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur user change-password Myp@ssw0rd!
Success! password was changed.

from cyberark-conjur-cli.

@InbalZilberman please update the link to the host help command to this: https://ljfz3b.axshare.com/#id=wsk7ud&p=conjur_help__host&g=1

from cyberark-conjur-cli.