Add User Management Resources #983
Conversation
wsquan171
force-pushed
the
user-mgmt
branch
2 times, most recently
from
07f5f85 to
19f5dca
Compare
nsxt/resource_nsxt_node_user.go
Outdated
|
|
||
| user, err := client.Createuser(userProp) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to create Nsxt Node user: %s", err.Error()) |
There was a problem hiding this comment.
Please use handleCreateError here for consistency, same below
nsxt/resource_nsxt_node_user.go
Outdated
| } | ||
| user, err := client.Get(id) | ||
| if err != nil { | ||
| if isNotFoundError(err) { |
There was a problem hiding this comment.
This behavior is covered with handleReadError
|
We have policy API for roles, but not for users? |
wsquan171
force-pushed
the
user-mgmt
branch
3 times, most recently
from
f34d2f9 to
a7507d2
Compare
|
@wsquan171, you must sign every commit in this pull request acknowledging our Developer Certificate of Origin before your changes are merged. This can be done by adding
|
wsquan171
force-pushed
the
user-mgmt
branch
from
371af4d to
2701eff
Compare
wsquan171
force-pushed
the
user-mgmt
branch
2 times, most recently
from
5dd38fe to
a8e5802
Compare
Unfortunately, yes. Local (node) users are only supported with management API. |
wsquan171
force-pushed
the
user-mgmt
branch
from
a8e5802 to
072b2e0
Compare
|
/test-all |
1 similar comment
|
/test-all |
wsquan171
force-pushed
the
user-mgmt
branch
from
072b2e0 to
b404774
Compare
|
/test-all |
nsxt/resource_nsxt_node_user.go
Outdated
|
|
||
| r := regexp.MustCompile("^[a-zA-Z][a-zA-Z0-9@-_.\\-]*$") | ||
| if ok := r.MatchString(v); !ok { | ||
| es = append(es, fmt.Errorf("must be a valid username matching: ^[a-zA-Z][a-zA-Z0-9@-_.\\-]*$")) |
There was a problem hiding this comment.
I don't think we should expect users to understand regex..
There was a problem hiding this comment.
removed regex from the error message.
| return handleReadError(d, "User", id, err) | ||
| } | ||
|
|
||
| // Password not return on GET |
There was a problem hiding this comment.
Would there be a non-empty diff after apply since password is not set in state?
There was a problem hiding this comment.
Per terraform dev guide:
If the Update callback returns with or without an error, the full state is saved. If the ID becomes blank, the resource is destroyed (even within an update, though this shouldn't happen except in error scenarios).
Verified that by changing only the password, terraform plan returns empty action plan after the initial apply, and reports:
No changes. Your infrastructure matches the configuration.
There was a problem hiding this comment.
Thanks for verifying. Since password is not nested attribute, no problem indeed.
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
Signed-off-by: Shawn Wang <[email protected]>
|
/test-all |
1 similar comment
|
/test-all |
| // A second deletion attempt should be deemed as NotFound, which is then treated as successful. | ||
| var err error | ||
| for i := 0; i < 2; i++ { | ||
| err = client.Delete(id) |
There was a problem hiding this comment.
does the first delete always return error?
There was a problem hiding this comment.
Essentially, the first DELETE call actually went through, with HTTP status 200. It's just the returned HTTP header content-type: text/html; charset=UTF-8 would always trigger sdk to report it back as internal server error, and such error type casting made checking status code very difficult on our end.
The second call will make NSX return 404, which is ignored on delete calls.
This issue still exists on NSX 4.1.2 rtqa.
| }, | ||
|
|
||
| Schema: map[string]*schema.Schema{ | ||
| "display_name": getDataSourceDisplayNameSchema(), |
There was a problem hiding this comment.
is there a reason we don't allow controlling nsx_id here and in the other policy resource?
There was a problem hiding this comment.
For roles, role (role identifier) is used as the uuid in NSX, thus no other nsx_id is needed / supported.
For bindings, NSX does not allow providing an ID on create. It's a POST call under .../role-bindings URL, and the id can only be determined by NSX.
nsxt/resource_nsxt_policy_role.go
Outdated
| } | ||
| } | ||
|
|
||
| func policyUserManagementRolePatch(id string, d *schema.ResourceData, m interface{}) error { |
There was a problem hiding this comment.
Since the actual API call is Update and not Patch, I would suggest to change function name to improve readability
| Schema: map[string]*schema.Schema{ | ||
| "display_name": getDataSourceDisplayNameSchema(), | ||
| "description": getDataSourceDescriptionSchema(), | ||
| "revision": getRevisionSchema(), |
There was a problem hiding this comment.
I'm guessing path is not exposed in this API as well?
There was a problem hiding this comment.
Yes. Neither role or role bindings exports policy path.
Signed-off-by: Shawn Wang <[email protected]>
|
/test-all |
|
Thanks Shawn! |
|
/test-all |
This PR adds the following 3 resources related to user management:
/api/v1/node/users)policy/api/v1/aaa/roles)policy/api/v1/aaa/role-bindings)Users
api/v1/node/users/{userid}/ssh-keys) and auth policy (/api/v1/node/aaa/auth-policy) not includedRoles
Role Bindings
pathof a set of roles from a binding, the path needs to be marked for delete in thePUTcall, with non-empty role in the list. A random role is picked from old state for the call to make NSX API validation pass.NSXT_TEST_LDAP_USERto be set to a valid LDAP user, and NSX is enabled with LDAP identity source.Partially resolve #943