(#11806) add f5_user support #73

Merged
merged 13 commits into from Feb 27, 2013

Conversation

Projects
None yet
3 participants

bernardn commented Jan 5, 2012

Add support for f5_user resource:

f5_user { 'username':
ensure => 'present',
fullname => 'Full Name of User',
user_permission => { '[All]' => 'USER_ROLE_ADMINISTRATOR' },
login_shell => '/bin/bash',
}

Contributor

nanliu commented Jan 5, 2012

Thanks for the pull request. Would you be able to open a ticket under F5 category and sign the CLA?
http://projects.puppetlabs.com/projects/modules/issues

@@ -0,0 +1,99 @@
+require 'puppet/provider/f5'
+
+Puppet::Type.type(:f5_user).provide(:f5_user_10, :parent => Puppet::Provider::F5) do
@nanliu

nanliu Jan 5, 2012

Contributor

Is this limited to iControl v10? or is there a particular reason for f5_user_10?

I see create_user_3 is an API limited to v10.1

@bernardn

bernardn Jan 6, 2012

You're right, this provider is limited to 10.1 and greater due to the use of create_user_3. I also wrote an f5_user_9 provider that uses create_user_2 but I have to make things consistent, regarding to user_id and group_id that are forced by the BigIP (mine is 10.2).
Furthermore, auto-selecting the right provider basing on the device version relies on facts which are not available at first run.

+ result
+ end
+ def user_permission=(value)
+ # Updating user permissions doesn't work as expected. get_user_permission returns correctly the new values but there aren't effective (10.1.0 & 10.2.0). A ticket has been open by F5.
@nanliu

nanliu Jan 5, 2012

Contributor

Is there a ticket number or link that this issue can be tracked under?

@bernardn

bernardn Jan 6, 2012

Unfortunately not, because F5 support is limited to licencees. If you're interested in, I'll post the steps to reproduce the problem.

@bernardn

bernardn Feb 7, 2012

Hi Nan. Please find the issue description as I sent it to F5.

The set_user_permission method doesn't update the functional user role although the DevCentral documentation states that the set_role method is deprecated and whe should use set_user_permission instead.

Can the problem be reproduced? Yes

Details on how to reproduce issue:

  1. Create some user with create_user_3 method using eg. USER_ROLE_TRAFFIC_MANAGER for all partitions ([All])
    => the user is correctly created with the correct permissions
  2. Modify the permissions using the set_user_permission method using USER_ROLE_ADMINISTRATOR
    => get_user_permission returns the new values, but the get_role method doesn't
  3. Set the login shell to /bin/bash
    => Fails with error 'Access denied - Administrators Only: ...' meaning that the new permissions aren't effective

What troubleshooting steps have you taken for the issue you are reporting?
Ruby irb commands and output :

irb(main):076:0> prdbip = F5::IControl.new('my.bigip.address', 'admin','********', 'Management.UserManagement').get_interfaces
=> {"Management.UserManagement"=>#SOAP::RPC::Driver:#SOAP::RPC::Proxy:https://127.0.0.1//icontrol/icontrolportal.cgi}

irb(main):078:0> prdbip['Management.UserManagement'].create_user_3([ { :user => { :name => 'bnauwelaerts01', :full_name => 'Bernard Nauwelaerts' }, :password => { :password => '******', :is_encrypted => false }, :permissions => [{:role=>'USER_ROLE_TRAFFIC_MANAGER',:partition=>'[All]'}] } ])
=> nil

irb(main):079:0> up = prdbip['Management.UserManagement'].get_user_permission('bnauwelaerts01')
=> [[#<SOAP::Mapping::Object:0x..fdb683f7a {}role="USER_ROLE_TRAFFIC_MANAGER" {}partition="[All]">]]

irb(main):080:0> up = prdbip['Management.UserManagement'].get_role('bnauwelaerts01')
=> ["USER_ROLE_TRAFFIC_MANAGER"]

irb(main):081:0> prdbip['Management.UserManagement'].set_user_permission(['bnauwelaerts01'],[[{:role=>'USER_ROLE_ADMINISTRATOR', :partition=>'[All]'}]])
=> nil

irb(main):082:0> up = prdbip['Management.UserManagement'].get_user_permission('bnauwelaerts01')
=> [[#<SOAP::Mapping::Object:0x..fdb649a6e {}role="USER_ROLE_ADMINISTRATOR" {}partition="[All]">]]

irb(main):083:0> up = prdbip['Management.UserManagement'].get_role('bnauwelaerts01')
=> ["USER_ROLE_TRAFFIC_MANAGER"]

irb(main):088:0> prdbip['Management.UserManagement'].set_login_shell(['bnauwelaerts01'],['/bin/bash'])
SOAP::FaultError: Exception caught in Management::urn:iControl:Management/UserManagement::set_login_shell()
Exception: Common::OperationFailed
primary_error_code : 17238053 (0x01070825)
secondary_error_code : 0
error_string : 01070825:3: Access denied - Administrators only: Custom shells are only available to administrators not bnauwelaerts01.
from

Additional Comments?
using the set_role method works but is deprecated and belongs only to the current partition

@bernardn

bernardn Feb 7, 2012

Here is the F5's answer :

This functionality is associated to an internal Change Request: ID227274 Deprecate the get_role and set_role methods in the Management/UserManagement interface. (CR84297) The change was completed in V11. In that version the functions work as expected. In version 10.x the change was not completely implemented and because of that is not working.
In v10.x branch you should use use get_role and set_role methods.
Unfortunately, the documentation on devcentral is not accurate.

lib/puppet/type/f5_user.rb
+ end
+
+
+ newproperty(:home_directory) do
@nanliu

nanliu Jan 5, 2012

Contributor

Since v10 doesn't support configuring home_directory, should we even support this?

@bernardn

bernardn Jan 6, 2012

You're right, I forgot to remove it before commiting.

+ desc "The full name for the specified user."
+ end
+
+ newproperty(:password) do
@nanliu

nanliu Jan 5, 2012

Contributor

Should we give the option for users to decide whether to use crypted or clear text password?

Also seems to be missing password, password= implemented in the provider. Is it currently implementing the password one time on creation?

@bernardn

bernardn Jan 6, 2012

Yes, we should, and it is.
The next version will include these capabilities.

Contributor

nanliu commented Jan 5, 2012

Looks like a great first pass, I'm in the process of adding spec test for type validation (provider is a bit more complicated), and I'll be happy to collaborate on this.

bernardn commented Jan 6, 2012

Thanks for reviewing !

The CLA has been signed and the ticket has been created. Here is the ticket URL : https://projects.puppetlabs.com/issues/11806

+ end
+ Puppet.debug("Puppet::Provider::F5_User: does F5 user #{resource[:name]} exist ? #{r}")
+ r
+ end
@nanliu

nanliu Jan 18, 2012

Contributor

Would it be more effective to do this?

users = transport[wsdl].get_list.collect { |u| u.name }
users.include?(resource[:name])

@bernardn

bernardn Jan 19, 2012

what do you mean by "effective" ? CPU time ? memory usage ? number of lines of code ?

Contributor

nanliu commented Jan 18, 2012

So I've opened a separate pull request to give an example for writing some spec tests. I would like to have all the pull requests squashed into a single commit and I know at the moment we don't have great spec coverage, but I'd to at least provide type spec tests and add in provider spec tests once we have a good way to collect and stub all the soap data. Here's the pull with the spec example:

#81

jamtur01 added a commit that referenced this pull request Feb 27, 2013

Merge pull request #73 from bernardn/f5_user
(#11806) add f5_user support

@jamtur01 jamtur01 merged commit c627250 into puppetlabs:master Feb 27, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment