user query

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 8 minute(s) read
Prev Next

This command queries providers and the user database for a user entry. A provider query can be aggregated across providers to yield a merged result, or it can be provider-specific. See Querying Users for more information.

You can also use this command to:

  • Attach S3 identity policies to users or remove S3 identity policies from users, and

  • Grant or remove create bucket, delete bucket and super user permissions for users on external providers.

Note

Permission allowed or denied by identity policies to create or delete buckets overrides explicit create bucket and delete bucket permission settings.

Note

To grant or remove the explicit create bucket, delete bucket and super user permissions for local provider users, use the user modify command.  

Usage for Retrieving a User Entry
user query {--uid UID | --username USERNAME | --login-name LOGINNAME | --sid SID}
           [--context local|udb|ad|ldap|nis|aggregated]
           [--tenant-id ID]
Usage for Setting S3 Permissions
user query {--uid UID | --username USERNAME | --login-name LOGINNAME | --sid SID}
           [--allow-create-bucket|--disallow-create-bucket]
           [--allow-delete-bucket|--disallow-delete-bucket]
           [--s3-superuser|--not-s3-superuser]
           [--identity-policies-ids [IDs]]
           [--tenant-id ID]
Required Parameters

--uid UID

Identifies a user by POSIX (NFS) UID number.

--username USERNAME

identifies a user by user name.

--login-name LOGINNAME

Identifies a user by login name.

--sid SID

Identifies a user by Security Identifier (SID).

Options

--context local|udb|ad|ldap|nis|aggregated

Specify one of the following contexts:

  • local. Restricts the search to local provider users.

  • udb. Searches the UDB for the user. The output in this case includes the VAST ID (VID) for the user, which can be used when specifying a grantee in S3 ACLs.

  • aggregated (default). Searches all providers and returns a merged user entry. In case of conflicts between providers, attributes are resolved according to the following rules:

    • In case of conflict between local and non local providers, the local provider's attributes override those of the other providers.

    • In case of conflicting POSIX attributes on external providers, the POSIX primary provider overrules the other external provider.

    • Users are merged if their match user attributes match. The match user attribute is configurable in that you can set which attribute on the POSIX primary provider is used to match the users.

    • All groups found for the user on all providers with distinct group names are treated as distinct groups to which the user belongs. Groups are merged if they match according to a non-configurable group name attribute.

  • ad, nis or ldap. Searches the specific provider only. (Each of these options appears only if a provider of that type is connected to the cluster.)

--allow-create-bucket

Allows the user to create buckets when connecting to the cluster via S3.

--disallow-create-bucket

Prohibits the user to create buckets when connecting to the cluster via S3.

--allow-delete-bucket

Allows the user to delete buckets when connecting to the cluster via S3.

--disallow-delete-bucket

Prohibits the user to delete buckets when connecting to the cluster via S3.

--s3-superuser

Grants the user S3 super user permission, which enables the user to override S3 ACLs.

--not-s3-superuser

Removes S3 super user permission from the user.

--identity-policies-ids [IDs]

Assigns one or more S3 identity policies to the user.  

Specify IDs as a comma-separated list of S3 identity policy IDs.

Each time you run the command with this option, the list overrides the entire previous list of S3 identity policies that were attached to the user. To remove a policy from a user, specify a list that does not include the policy you wish to remove. To remove all policies from the user, do not specify a list of IDs.

--tenant-id ID

Specify the ID of the tenant with which the user is associated.

Example
vcli: admin> user query --uid 1000
+---------------------+------------------------------------------------------------------------+
| uid                 | 1000 (LDAP)                                                            |
| sid                 |                                                                        |
| leading_group       | {'gid': 10000, 'sid': -1, 'name': -1} (LDAP)                           |
| leading_group_name  | -1                                                                     |
| leading_group_gid   | 10000                                                                  |
| primary_group_name  | -1                                                                     |
| primary_group_sid   | -1                                                                     |
| name                | test-user-1000 (LDAP)                                                  |
| login_name          | test-user-1000                                                         |
| historical_sids     | []                                                                     |
| groups              | [] ([])                                                                |
| group_count         | 0                                                                      |
| allow_create_bucket | True                                                                   |
| allow_delete_bucket | True                                                                   |
| s3_superuser        | False                                                                  |
| s3_policies         | []                                                                     |
| s3_policies_ids     | []                                                                     |
| s3_remote_policies  | []                                                                     |
| access_keys         | []                                                                     |
| origins             | {'uid': 'LDAP', 'leading_group': 'LDAP', 'name': 'LDAP', 'groups': []} |
| user_qos_policies   | []                                                                     |
| quotas              | []                                                                     |
| s3_vid              | None                                                                   |
+---------------------+------------------------------------------------------------------------+

In the command output:

  • The provider from which an attribute was retrieved is indicated in parentheses ((LDAP) in the example).

  • leading group is the POSIX attribute for the user's group(s). A leading group is identified with its group ID (GID).

  • primary group is an Active Directory group identified by its security identifier (SID).

  • -1 is returned for fields where an empty string was retrieved from the provider.

Related articles
  • user query
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 CLI Command Reference > user commands
  • user query
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 CLI Command Reference > user commands
  • user query
    VAST Cluster > Version 5.0 > VAST Cluster 5.0 CLI Command Reference > user commands