jitsudo server
Control plane management commands for administering a running jitsudod instance.
Synopsis
Section titled “Synopsis”jitsudo server <subcommand> [flags]Subcommands
Section titled “Subcommands”| Subcommand | Description |
|---|---|
status | Check control plane health |
version | Print server version and API compatibility |
reload-policies | Trigger the OPA engine to reload policies from the database |
Admin Bootstrap
Section titled “Admin Bootstrap”After running jitsudod init, the next step is enrolling the first administrator. The jitsudo-admins group controls access to privileged control plane operations — most importantly, assigning principal trust tiers via the SetPrincipalTrustTier API.
How jitsudo-admins works
Section titled “How jitsudo-admins works”jitsudo-admins is not a database concept — it is an IdP group, resolved from the groups claim in the OIDC token at request time. Like any group in jitsudo policies, membership is managed in your identity provider.
Day-one enrollment
Section titled “Day-one enrollment”- In your IdP, create a group named
jitsudo-admins(exact name must match what is checked by the server). - Add the first administrator’s account to that group.
- The administrator logs in with
jitsudo login— their token will now includejitsudo-adminsin the groups claim. - The administrator can now call
SetPrincipalTrustTierto assign trust tiers to other principals:
# Assign trust tier 3 to a senior SRE (admin only)curl -X PUT https://jitsudod:8080/api/v1alpha1/principals/alice@example.com/trust-tier \ -H "Authorization: Bearer $TOKEN" \ -d '{"trust_tier": 3}'Ongoing membership management
Section titled “Ongoing membership management”Add and remove members from jitsudo-admins in your IdP using the same process as any other group. Changes take effect at the next token issuance (typically within minutes, depending on your IdP’s token lifetime).
Audit jitsudo-admins membership regularly. Treat it as a Tier 0 group — the same level of scrutiny as your cloud IAM admin roles.
Recovery: all admins offboarded
Section titled “Recovery: all admins offboarded”If every member of jitsudo-admins has left the organization:
- In your IdP, add a recovery identity (a break-glass admin account or a new employee) to the
jitsudo-adminsgroup. - Authenticate as that identity:
jitsudo login. - Re-enroll other administrators and re-assign trust tiers as needed.
The recovery path does not require database access or server restart — it is purely an IdP group membership change.
See Approval Model — Principal Trust Tiers for trust tier values and their effect on approval routing.
status
Section titled “status”Check the health of a running jitsudod instance by polling its health endpoints.
jitsudo server status [--server-url <url>]Flags:
| Flag | Default | Description |
|---|---|---|
--server-url <url> | http://localhost:8080 | jitsudod HTTP base URL |
Output:
Component Status Detail--------- ------ ------liveness UP jitsudod is runningreadiness UP database connection okversion UP 0.1.0 (API: v1alpha1)Exit code: Non-zero if any health check fails.
version
Section titled “version”Print the server version and supported API versions.
jitsudo server version [--server-url <url>]Flags:
| Flag | Default | Description |
|---|---|---|
--server-url <url> | http://localhost:8080 | jitsudod HTTP base URL |
Output:
Server version: 0.1.0API version: v1alpha1reload-policies
Section titled “reload-policies”Trigger the embedded OPA policy engine to reload all enabled policies from the database. Use this after applying policy changes if you don’t want to wait for the automatic reload interval.
jitsudo server reload-policiesOutput:
Policy engine reloaded. Active policies: 3This command uses the gRPC API and requires the caller to be authenticated.
Global Flags
Section titled “Global Flags”All jitsudo server subcommands accept these global flags:
| Flag | Default | Description |
|---|---|---|
--server <url> | Stored credentials | Control plane gRPC URL (for subcommands that use the API) |
--token <token> | Stored credentials | Bearer token override |
-q, --quiet | false | Suppress non-essential output |
--debug | false | Enable debug logging |
Related
Section titled “Related”jitsudod init— bootstrap command- Single-Server Deployment guide — using
jitsudod initto bootstrap a production server - Server Configuration reference — full config file reference