Improved user management

OpenVPN / puppet-openvpnas

Puppet module for managing the OpenVPN Access Server

BSD 2-Clause "Simplified" License

6 stars 5 forks source link

Improved user management #6

Closed raybellis closed 4 months ago

raybellis commented 4 months ago

This PR creates a new openvpnas_user resource type, primarily to expose the UserPropDelAll API call to allow puppet to remove users from OpenVPN AS, which is not otherwise possible with the openvpnas_userprop resource.

This addresses #1 . The code works, but it's my first attempt to create a puppet type so it's possible that I've omitted some stuff.

raybellis commented 4 months ago

BTW, with this PR I think it might be worth removing <user>-type from the list of openvpnas_userprop properties that can actually be managed by Puppet.

Puppet cannot actually change these values, since OpenVPN AS automagically sets the value to user_connect or user_compile as necessary, and prohibits deletion of the <user>-type property (Puppet tries, but fails). This was why I needed to create the openvpnas_user resource type in the first place.

sahaqaa commented 4 months ago

Hello, Thank you for opening PR, i will take a look approx at Monday-Tuesday next week

sahaqaa commented 4 months ago

@raybellis could you please provide additional details:

what issue / pain point do you face right now?
what you are trying to achieve? How it will fix the issue / pain point?

I would like to know more context of how this can be used and what problem it can solve.

For example when SAML is used, as well as LDAP, when user signs-in into AS - user account inside AS is created automatically. So for SAML and LDAP use cases usually creation of users are not needed.

Am i right that you want to use "local" Access Server user profiles (that are created inside AS)? How many users are you planning to manage?

raybellis commented 4 months ago

The primary issue I was trying to resolve is that with the current version of this module it is impossible to delete a user from OpenVPN AS using Puppet resources, since that requires use of the UserPropDelAll call.

With the modified module I can now do:

    openvpnas_user { 'ray':
      ensure => absent
    }

Similarly creating a user just requires:

    openvpnas_user { 'testuser': }

without manipulating any user-specific properties.

(I guess I could have written a Puppet exec resource to directly call sacli to perform removals, but this is a more canonically Puppet way of managing users)

raybellis commented 4 months ago

Oh, and we use Kerberos auth via PAM, and we do have local user profiles for each user (approx 40).

raybellis commented 4 months ago

I have now committed an additional patch to remove <user>-type from the manageable user properties, since OpenVPN AS does not allow this property to be changed anyway.

sahaqaa commented 4 months ago

@raybellis may i ask you please to also update metadata.json file -> to bump version from "0.3.4" to "0.3.5"?

sahaqaa commented 4 months ago

UPD: Never mind, please disregard previous comment :smile:

sahaqaa commented 4 months ago

@raybellis Thank you for your time and initiative, your contribution is much appreciated :+1: