After spending the last several months building automation/configuration management with open source Puppet, we’re looking at Puppet Enterprise. Between a move from Puppet 3.x to 4.x and PE — theres enough different it feels like learning everything all over again.
One of the first things I ran into was that I wanted to configure Puppet to use our Active Directory server for authentication. I made the mistake in that process of adding myself as a local PE console user. The PE console gives you no way to recover from this. You can only revoke that local user’s access, not remove them entirely so as to delegate the authentication out to AD.
Bad. Worse, the documentation doesn’t really help you out here. Fortunately, there’s an API. In the middle of trying to sort out everything else for getting this set up, yes, you have to use the API to fix the honest mistake made in the console.
The first step is understanding how to create an API request. Fortunately, you can do it with cURL. It’s messy, but it works. But wait. The section there about generating a token for your API authentication? Ignore it for now, because it turns out at this stage if you go down that road it won’t work.
Note: For security reasons, authentication tokens can only be generated for revocable users. The admin user and api_user cannot be revoked.
Well Bob, since the only local users I have are the one I’m trying to delete, admin, and api_user — I guess a token is out of the question.
You’ll need to use a whitelisted certificate, which you already have for your PE server. Just to be sure, look at the contents of /etc/puppetlabs/console-services/rbac-certificate-whitelist. You should see your PE server’s FQDN or something along those lines. Note that value. (Ignore the one that says “pe-internal-orchestrator”)
At this point, you have what you need to retrieve the UUID for the user that you need to delete.
curl -k -X GET https://localhost:4433/rbac-api/v1/users \ --cert /etc/puppetlabs/puppet/ssl/certs/<PE_SERVER>.pem \ --key /etc/puppetlabs/puppet/ssl/private_keys/<PE_SERVER>.pem \ --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \ -H "Content-Type: application/json" | python -m json.tool
Note the port number is 4433. If you try to use the standard SSL port,
443, it won’t work because the server will return a 302 redirect.
It’s long and messy. The result is JSON data, which is much easier to read if you pipe it into a pretty print filter. Python (at least on RHEL7) ships with one. Scan the output for the user you want to delete. It’s probably the last one in the list. You need the id field.
Now use cURL to DELETE the user in question, replacing <id> with the id you found above. In the instructions it says “DELETE /users/:sid”. Don’t include the colon. It’s there to indicate that you need to replace :sid with a value.
curl -kiv -X DELETE https://localhost:4433/rbac-api/v1/users/<id> \ --cert /etc/puppetlabs/puppet/ssl/certs/<PE_SERVER>.pem \ --key /etc/puppetlabs/puppet/ssl/private_keys/<PE_SERVER>.pem \ --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \ -H "Content-Type: application/json" | python -m json.tool
If you get back
HTTP/1.1 204 No Content, you succeeded.
Now if you’ve configured your AD/LDAP parameters correctly and you try to log in as the user you just deleted, it will work.
This is a very long and unnecessarily painful route to remove a local user.