search

rancher / terraform-provider-rancher2

Terraform Rancher2 provider
https://www.terraform.io/docs/providers/rancher2/
Mozilla Public License 2.0
257 stars 222 forks source link

Using rancher2_cluster_role_template_binding with openldap_user #617

Open trieszecg opened 3 years ago

trieszecg commented 3 years ago

rancher v2.5.7 rancher/rancher2 v1.13.0 terraform:0.14.5

this did not work:

resource "rancher2_cluster_role_template_binding" "k8s_bot_cluster_role_binding" {
  name = "${var.env}-k8s-bot-cluster-role-binding"
  cluster_id = rancher2_cluster.cluster_x.id
  role_template_id = "cluster-member"
  user_principal_id = "openldap_user://uid=${var.k8s_bot_user},ou=People,ou=xxxx,o=yyyy"
}

results in 

Error: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [message=users.management.cattle.io "uid=zzzz,ou=People,ou=xxxx,o=yyyy" not found, baseType=error, code=ServerError]

this runs terraform apply OK:

resource "rancher2_cluster_role_template_binding" "k8s_bot_cluster_role_binding" {
  name = "${var.env}-k8s-bot-cluster-role-binding"
  cluster_id = rancher2_cluster.cluster_x.id
  role_template_id = "cluster-member"
  group_principal_id = "openldap_user://uid=${var.k8s_bot_user},ou=People,ou=xxxx,o=yyyy"
}

the user appears on the UI OK, among the cluster members, but the binding does not function properly. (Logging in with the user credential it does not see the cluster.)

rawmind0 commented 3 years ago

This is not intentional, user_principal_id should work properly. Have you customized your openldap user/group schemas??

trieszecg commented 3 years ago

I tried with default schemas and with customised ones too. If I enter the username on the UI (cluster / Members / add member) it does find the user OK and it does create the role binding correctly. So It may be something with the terraform provider?

trieszecg commented 3 years ago

I wonder if it can be related to https://github.com/rancher/rancher/issues/19457 ?

rawmind0 commented 3 years ago

I tried with default schemas and with customised ones too. If I enter the username on the UI (cluster / Members / add member) it does find the user OK and it does create the role binding correctly. So It may be something with the terraform provider?

Not completely sure, but i guess the UI field is using user_id. Anyway, the error showed at tf provider is saying that the user is not found. Are you using same user to auth at tf provider and ui?? Is the token used at tf provider from a openldap user??

It may be a tf provider issue, but not clear at this point, due to tf provider to rancher API mapping seems fine. Could you please create a cluster role binding from ui and from the tf provider and provide the API content of both objects??

trieszecg commented 3 years ago

this ldap user (zzzz below) is independent from the admin token. for terraform I am using the boostrap mechanism. Terraform provisions rancher and rancher2_auth_config_openldap then for UI login

resource "rancher2_global_role_binding" "wwww_team_admin_role_binding" {
  name = "wwww-team-admin-role-binding"
  global_role_id = "admin"
  group_principal_id = "openldap_group://cn=wwww,ou=Group,ou=xxxx,o=yyyy"
}

This works fine. I am member of this wwww group so I can login on the UI with my own LDAP credential and have admin rights.

1) if I add user zzzz manually via UI (cluster / Members / Add member) it finds the LDAP user OK, its permissions are correct and the API looks like this

{
"annotations": {
"auth.cattle.io/principal-display-name": "zzzz zzzz",
"lifecycle.cattle.io/create.cluster-crtb-sync_c-cwjgz": "true",
"lifecycle.cattle.io/create.mgmt-auth-crtb-controller": "true"
},
"baseType": "clusterRoleTemplateBinding",
"clusterId": "c-cwjgz",
"created": "2021-04-06T15:34:12Z",
"createdTS": 1617723252000,
"creatorId": "u-z57qzx337j",
"groupId": null,
"groupPrincipalId": null,
"id": "c-cwjgz:crtb-8nmzn",
"labels": {
"auth.management.cattle.io/crb-rb-labels-updated": "true",
"authz.cluster.cattle.io/crb-rb-labels-updated": "true",
"cattle.io/creator": "norman"
},
"links": {
"remove": "…/v3/clusterRoleTemplateBindings/c-cwjgz:crtb-8nmzn",
"self": "…/v3/clusterRoleTemplateBindings/c-cwjgz:crtb-8nmzn",
"update": "…/v3/clusterRoleTemplateBindings/c-cwjgz:crtb-8nmzn"
},
"name": "crtb-8nmzn",
"namespaceId": null,
"roleTemplateId": "cluster-member",
"type": "clusterRoleTemplateBinding",
"userId": "u-2vvwnkdpjq",
"userPrincipalId": "openldap_user://uid=zzzz,ou=People,ou=xxxx,o=yyyy",
"uuid": "ab3642ae-312a-482a-854d-2bef72afea17"
}

2) trying to provision with terraform, using 

user_principal_id = "openldap_user://uid=zzzz,ou=People,ou=xxxx,o=yyyy"

it always throws this error: uid=zzzz,ou=People,ou=xxxx,o=yyyy" not found

3) if I provision via terraform using

group_principal_id = "openldap_user://uid=zzzz,ou=People,ou=xxxx,o=yyyy"

then terraform succeeds, the user zzzz appears on the UI as Cluster Member, but the binding is not correct. Logging in on the UI as zzzz I cannot see any cluster. API shows this:

{
"annotations": {
"lifecycle.cattle.io/create.cluster-crtb-sync_c-cwjgz": "true",
"lifecycle.cattle.io/create.mgmt-auth-crtb-controller": "true"
},
"baseType": "clusterRoleTemplateBinding",
"clusterId": "c-cwjgz",
"created": "2021-04-06T16:06:56Z",
"createdTS": 1617725216000,
"creatorId": "user-f58pp",
"groupId": null,
"groupPrincipalId": "openldap_user://uid=zzzz,ou=People,ou=xxxx,o=yyyy",
"id": "c-cwjgz:testing-k8s-bot-cluster-role-binding",
"labels": {
"auth.management.cattle.io/crb-rb-labels-updated": "true",
"authz.cluster.cattle.io/crb-rb-labels-updated": "true",
"cattle.io/creator": "norman"
},
"links": {
"remove": "…/v3/clusterRoleTemplateBindings/c-cwjgz:testing-k8s-bot-cluster-role-binding",
"self": "…/v3/clusterRoleTemplateBindings/c-cwjgz:testing-k8s-bot-cluster-role-binding",
"update": "…/v3/clusterRoleTemplateBindings/c-cwjgz:testing-k8s-bot-cluster-role-binding"
},
"name": "testing-k8s-bot-cluster-role-binding",
"namespaceId": null,
"roleTemplateId": "cluster-member",
"type": "clusterRoleTemplateBinding",
"userId": null,
"userPrincipalId": null,
"uuid": "16e4916a-a659-4bbb-93f6-892d38c7713e"
}
rawmind0 commented 3 years ago

As mentioned, i guess this may be an issue of not using user_id argument (UI is setting it). Has the openldap user_principal_id been logged in Rancher?? Have you tested tf using user_id instead of user_principal_id??

michalformanek commented 3 years ago

This is the same issue as #225

Forcing users to log in first and then using their user_id as suggested is not very practical, especially in larger organizations. It is easy to gather list of usernames/emails from development teams and then pass them to the resource. Getting some generated ids... not so much. Waiting for larger number of users to log in makes creating new projects tedious. That is why we are using terraform in the first place - to automate stuff

armsnyder commented 3 years ago

Hello.

We are having the same issue, using Rancher's Okta integration. The user object already exists inside Rancher, but we are getting the Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "zzz@example.com" not found] from [https://redacted/v3/clusterroletemplatebindings] error.

Our user in Rancher is:

{
  "actions": {
    "refreshauthprovideraccess": "…/v3/users/u-zzz?action=refreshauthprovideraccess",
    "setpassword": "…/v3/users/u-zzz?action=setpassword"
  },
  "annotations": {
    "authz.management.cattle.io/creator-role-bindings": "{\"created\":[\"user\"],\"required\":[\"user\"]}",
    "lifecycle.cattle.io/create.mgmt-auth-users-controller": "true"
  },
  "baseType": "user",
  "conditions": [
    {
      "lastUpdateTime": "2021-02-25T20:10:53Z",
      "status": "True",
      "type": "InitialRolesPopulated"
    }
  ],
  "created": "2021-03-25T18:59:56Z",
  "createdTS": 1616698796000,
  "creatorId": null,
  "description": "",
  "enabled": true,
  "id": "u-zzz",
  "labels": {
    "DTLN8OAVELPMASHQ5SNMKQ3FELGMSPQ0CLGISORFDK": "hashed-principal-name",
    "cattle.io/creator": "norman"
  },
  "links": {
    "clusterRoleTemplateBindings": "…/v3/clusterRoleTemplateBindings?userId=u-zzz",
    "globalRoleBindings": "…/v3/globalRoleBindings?userId=u-zzz",
    "projectRoleTemplateBindings": "…/v3/projectRoleTemplateBindings?userId=u-zzz",
    "remove": "…/v3/users/u-zzz",
    "self": "…/v3/users/u-zzz",
    "tokens": "…/v3/tokens?userId=u-zzz",
    "update": "…/v3/users/u-zzz"
  },
  "me": false,
  "mustChangePassword": false,
  "name": "Sergio",
  "principalIds": ["okta_user://zzz@example.com", "local://u-zzz"],
  "state": "active",
  "transitioning": "no",
  "transitioningMessage": "",
  "type": "user",
  "uuid": "a91f3dfb-4830-408a-ae46-3a898d672068"
}

Our Terraform config is:

resource "rancher2_cluster_role_template_binding" "cluster_owner_user" {
  name              = d5905a9bd7d72762
  cluster_id        = rancher2_cluster_sync.this.cluster_id
  role_template_id  = "cluster-owner"
  user_principal_id = "okta_user://zzz@example.com"
}

Our Terraform apply debug logs are:

2021-05-26T11:07:52.108-0700 [DEBUG] plugin.terraform-provider-rancher2_v1.18.0: 2021/05/26 11:07:52 [INFO] Creating Cluster Role Template Binding d5905a9bd7d72762
2021-05-26T11:07:52.188-0700 [DEBUG] plugin.terraform-provider-rancher2_v1.18.0: 2021/05/26 11:07:52 [DEBUG] Waiting for state to become: [active provisioning pending]
2021/05/26 11:07:52 [DEBUG] module.stellar.rancher2_cluster_role_template_binding.cluster_owner_users["zzz@example.com"]: apply errored, but we're indicating that via the Error pointer rather than returning it: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "zzz@example.com" not found] from [https://redacted/v3/clusterroletemplatebindings]
2021/05/26 11:07:52 [ERROR] module.stellar: eval: *terraform.EvalApplyPost, err: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "zzz@example.com" not found] from [https://redacted/v3/clusterroletemplatebindings]
2021/05/26 11:07:52 [ERROR] module.stellar: eval: *terraform.EvalSequence, err: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "zzz@example.com" not found] from [https://redacted/v3/clusterroletemplatebindings]

We are running Terraform using an admin auth token.

rawmind0 commented 3 years ago

This is the same issue as #225

Forcing users to log in first and then using their user_id as suggested is not very practical, especially in larger organizations. It is easy to gather list of usernames/emails from development teams and then pass them to the resource. Getting some generated ids... not so much. Waiting for larger number of users to log in makes creating new projects tedious. That is why we are using terraform in the first place - to automate stuff

@michalformanek , yes, it's the same issue as #225. I tend to agree that forcing users to log in first and then using their user_id is not very practical, especially in larger organizations with bunch of users. Especially for these cases, rancher2_cluster_role_template_binding and/or rancher2_project_role_template_binding may be created using group_principal_id instead, that wouldn't require user pre login nor local user_id. It should be as easy as gather list of usernames/emails from development teams and create an openldap group, with the benefit that rancher2_cluster_role_template_binding nor rancher2_project_role_template_binding shouldn't be updated when you added new users to openldap group.

@armsnyder, have you tried using user_id instead user_principal_id?? The token used by tf apply is coming from a local or from a okta user??

The use of group_principal_id on cluster and project template bindings should work properly, but the use of user_id and user_principal_id will require the user has logged in Rancher before. Also, the use of user_principal_id should work fine if the provider is configured with openldap user token, https://github.com/rancher/terraform-provider-rancher2/issues/225#issuecomment-615198815

ghost commented 2 years ago

Hello,

I have the same issue with ActiveDirectory and rancher2_project_role_template_binding resource. It seems that Rancher need a token key of an user authenticated by the auth provider to be able to use the user_principal_id.

With the following definition, I got a not found error.

provider "rancher2" {
  api_url   = var.rancher_url
  token_key = var.rancher_local_admin_token_key
}

resource "rancher2_project_role_template_binding" "my-binding" {
  name               = "my-binding"
  project_id         = rancher2_project.my_project.id
  role_template_id   = "project-member"
  user_principal_id = local.ad_users.my_user
}

I can replace the user_principal_id directive by group_principal_id and the terraform apply works, but the binding fails and the user can't access to the project.

But if I configure my rancher2 provider with an active directory user, the terraform apply works fine.

provider "rancher2" {
  api_url   = var.rancher_url
  token_key = var.rancher_active_directory_admin_token_key
}

resource "rancher2_project_role_template_binding" "my-binding" {
  name               = "my-binding"
  project_id         = rancher2_project.my_project.id
  role_template_id   = "project-member"
  user_principal_id = local.ad_users.my_user
}

It seems rancher2 core needs a token key link to the auth provider to be able to use the user_principal_id link to the same auth provider.

wd commented 4 weeks ago

I can't believe the token_key for the provider is the problem. I changed to another key and it worked.