UserMgr RAD API with Puppet

In my last post I had a look at the Solaris RAD API to manage ZFS, this time I am testing the UserMgr RAD module. As far as I know it is also the oldest RAD module and the backend for the “Solaris User Manager GUI”.

As the name promises the GUI allows to manage user accounts on Solaris.

It is a Java application which can be installed and started the following way:

# pkg install pkg:/system/management/visual-panels/panel-usermgr
# vp usermgr

Puppet resource type: solaris_user

As Solaris 11.3 offers a REST-API, I wrote a Puppet resource type which uses the same RAD API (UserMgr) to manage users, called solaris_user:

# puppet resource solaris_user mzach
solaris_user { 'mzach':
  ensure        => 'present',
  comment       => 'Manuel',
  gid           => '10',
  groups        => ['other'],
  home          => '/export/home/mzach/',
  profiles      => ['All'],
  shell         => '/usr/bin/bash',
  uid           => '300',
}

Now that Puppet understands the UserMgr API, you can manage the user accounts via Puppet manifests. For example if you want to add the Authenticated Rights Profile Operator to the user you can do it with the following manifest:

manage-mzach.pp

solaris_user { 'mzach':
  ensure        => 'present',
  auth_profiles => ['Operator']
}

# puppet apply manage-mzach.pp
Notice: /Stage[main]/Main/Solaris_user[mzach]/auth_profiles: defined 'auth_profiles' as 'Operator'

# puppet resource solaris_user mzach
solaris_user { 'mzach':
  ensure        => 'present',
  auth_profiles => ['Operator'],
  comment       => 'Manuel',
  gid           => '10',
  groups        => ['other'],
  home          => '/export/home/mzach/',
  profiles      => ['All'],
  shell         => '/usr/bin/bash',
  uid           => '300',
}

Similar to the previous RAD providers you can activate the debug mode with --debug, to observe the REST calls:

# puppet resource --debug solaris_user mzach
...
Debug: REST API Calling GET: https://127.0.0.1:12303/api/com.oracle.solaris.rad.usermgr/1.0/UserMgr/users/
Debug: REST API response: {
    "status": "success",
    "payload": [
        {
            "username": "root",
            "userID": 0,
            "groupID": 0,
            "description": "Super-User",
            "homeDirectory": "/root",
            "defaultShell": "/usr/bin/bash",
            "inactive": -1,
            "min": -1,
            ...

Conclusion

The current UserMgr-API in Solaris 11.3 GA is easy to use, and supports all features of useradd and usermod, like the new Authenticated Rights Profiles.
But the current version has also several restrictions and issues. For example The addUser method requires to set a non-hashed password. As work-around this provider sets a dummy password which should be changed immediately. Check the Readme for details.
All the issues are reported to Oracle, so they are maybe fixed soon.

See also

• Puppet module: mzachh/radproviders
• Readme: solaris_user
• Details for UserMgr RAD-API can be found in the man page, see man -s 3rad usermgr