Adding and Removing Users Programmatically

Describes how to add and remove users through the Kubernetes API using the EzUserQuery and EzUserConfig custom resources.

The user management operator in HPE Ezmeral Unified Analytics Software responds to the EzUserQuery and EzUserConfig custom resources when they are created by a client with the required Kubernetes API permissions.

Use the administrative kubectl config that you get when you create the HPE Ezmeral Unified Analytics Software cluster to onboard and manage users programmatically through the Kubernetes API.

To onboard a user, complete the following steps:

Use the EzUserQuery custom resource to search for the user in the internal or external AD/LDAP directory. The EzUserQuery returns a list of attributes for a user, including the Keycloak ID. The Keycloak ID is required to onboard a user.
Use the EzUserConfig custom resource to onboard the user.

The following sections describe the custom resources:

EzUserQuery

Use the EzUserQuery custom resource to query the user AD/LDAP directory.

The EzUserQuery properties map directly to the query types of the Keycloak user API. Providing values for the email, firstName, lastName, and/or username properties sets criteria that must match the returned users. The search property value is typically the most useful and can match against the email or username.

Keycloak returns the query response and the status updates. The query results are bounded and a query only returns up to five results. Narrow your search criteria to reduce the number of results returned. Results show you attributes for the user, for example if they are enabled (true/false), id (keycloak user ID), and role (admin or not).

EzUserQuery resources self-delete after they expire.

Using the EzUserQuery Custom Resource

In a YAML file, add the following properties, specifying your own values:

apiVersion: ezconfig.hpe.ezaf.com/v1alpha1
kind: EzUserQuery
metadata:
  name: my-query-1
spec:
  search: joel

To create and get the query, run the following commands, specifying your YAML file name:
```
kubectl create -f query.yaml

kubectl get ezuserquery
```
A ready status indicates that there are query results. This is the status.status property.
To query the AD/LDAP directory, run the following command, specifying your query name:
```
kubectl get ezuserquery my-query-1 -o yaml
```
The command returns results similar to those shown in the following image:

The userQuery property displays the user attributes.

EzUserConfig

Use the EzUserConfig custom resource to enable/disable users and manage user roles.

EzUserConfig identifies the user (via keycloak ID) and indicates the roles that a user should have when onboarded.

The following table describes the differences between internal and external AD/LDAP servers when using EzUserConfig:

AD/LDAP Server Type	Description
Internal	EzUserConfig creates and enables a user. Deleting an EzUserConfig disables and deletes the user.
External	EzUserConfig enables a user. EzUserConfig identifies the user (via Keycloak ID) and sets the user role. Deleting an EzUserConfig disables the user.

The EzUserConfig status stanza shows user attributes, whether the user is successfully enabled, the roles that have successfully been assigned, and any error messages.

To retrieve and display information about the ezuserconfig resource, run:

kubectl get ezuserconfig

You can view the NAMESPACE column when running the kubectl get ezuserconfig command. Note that the namespace name does not match the user's username. The namespace name is derived by combining the prefix from the username and adding the suffix. For example, if the AD username is Arun1.Gowda and Unified Analytics username is arun1.gowda, the Unified Analytics namespace name will be arun1-gowda-2ccc059b.

TIP

The user management operator actually onboards the user.
Enabled is not a role that you can assign to a user.
The following resources include the label hpe-ezua/username=<ua-username>:
- ezuserconfig
- user namespace
- profile
To find the namespace name for your username, run:
```
kubectl get ns -l hpe-ezua/username=<ua-username>
```

Using the EzUserConfig Custom Resource

In a YAML file, add the following properties, specifying your own values:
```
apiVersion: ezconfig.hpe.ezaf.com/v1alpha1
kind: EzUserConfig
metadata:
  name: my-admin-user-1
spec:
  id: 04ef844e
  roles:
    - admin
```
Note that the ID is the Keycloak ID that you can get using the EzUserQuery custom resource.
To see a list of all the attributes for a user, run the following command, specifying the name of the user you want to see attributes for:
```
get ezuserconfig joel -o yaml
```
The command returns results similar to those shown in the following image:

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0