Users and Registration

There are two classes of Workflow users: normal users and administrators.

  • Users can use most of the features of Workflow - creating and deploying applications, adding/removing domains, etc.
  • Administrators can perform all the actions that users can, but they also have owner access to all applications.

The first user created on a Workflow installation is automatically an administrator.

Register with a Controller

Use drycc register with the Controller URL (supplied by your Drycc administrator) to create a new account. After successful registration you will be logged in as the new user.

$ drycc register
username: myuser
password (confirm):
Registered myuser
Logged in as myuser


The first user to register with Drycc Workflow automatically becomes an administrator. Additional users who register will be ordinary users.

Login to Workflow

If you already have an account, use drycc login to authenticate against the Drycc Workflow API.

$ drycc login
username: drycc
Logged in as drycc

Logout from Workflow

Logout of an existing controller session using drycc logout.

$ drycc logout
Logged out as drycc

Verify Your Session

You can verify your client configuration by running drycc whoami.

$ drycc whoami
You are drycc at


Session and client configuration is stored in the ~/.drycc/client.json file.

Registering New Users

By default, new users are not allowed to register after an initial user does. That initial user becomes the first "admin" user. Others will now receive an error when trying to register, but when logged in, an admin user can register new users:

$ drycc register --login=false --username=newuser --password=changeme123

Controlling Registration Modes

After creating your first user, you may wish to change the registration mode for Drycc Workflow.

Drycc Workflow supports three registration modes:

Mode Description
admin_only (default) Only existing admins may register new users
enabled Registration is enabled and anyone can register
disabled Does not allow anyone to register new users.

To modify the registration mode for Workflow you may add or modify the REGISTRATION_MODE environment variable for the controller component. If Drycc Workflow is already running, use:

kubectl --namespace=drycc patch deployments drycc-controller -p '{"spec":{"template":{"spec":{"containers":[{"name":"drycc-controller","env":[{"name":"REGISTRATION_MODE","value":"disabled"}]}]}}}}'

Modify the value portion to match the desired mode.

Kubernetes will automatically deploy a new ReplicaSet and corresponding Pod with the new environment variables set.

Managing Administrative Permissions

You can use the drycc perms command to promote a user to an admin:

$ drycc perms:create john --admin
Adding john to system administrators... done

View current admins:

$ drycc perms:list --admin
=== Administrators

Demote admins to normal users:

$ drycc perms:delete john --admin
Removing john from system administrators... done

Re-issuing User Authentication Tokens

The controller API uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients. Each user of the platform is issued a token the first time that they sign up on the platform. If this token is compromised, it will need to be regenerated.

A user can regenerate their own token like this:

$ drycc auth:regenerate

An administrator can also regenerate the token of another user like this:

$ drycc auth:regenerate -u test-user

At this point, the user will no longer be able to authenticate against the controller with his auth token:

$ drycc apps
Invalid token

They will need to log back in to use their new auth token.

If there is a cluster wide security breach, an administrator can regenerate everybody's auth token like this:

$ drycc auth:regenerate --all=true

Changing Account Password

A user can change their own account's password like this:

$ drycc auth:passwd
current password:
new password:
new password (confirm):

An administrator can change the password of another user's account like this:

$ drycc auth:passwd --username=<username>
new password:
new password (confirm):