How to create a user in rancher api?


I have been trying to create a user in rancher api and i have only partially succeeded.

With the below api call I’m able to create a user named “testuser3”

-H ‘Accept: application/json’
-H ‘Content-Type: application/json’
-d ‘{“description”:“test account”, “kind”:“user”, “name”:“testuser3”}’

But the problem with above call is, I’m able to create user but there is no username created for the user as you could see in the attachment.

Few topics in the forum led to /v1/localauthconfigs but that is for enabling localauth in rancher I believe.

I have Local auth enabled in rancher.

Thank you.

It’s two separate requests, one to create the account and another to assign the password. In the response to the first one (what you have is fine) you’ll get the account id, then

curl -X POST ... \
  -d '{"publicValue":"yourusername","secretValue":"yourpassword","accountId":"1a114"}'  \

Thank you Vincent, it’s working.

Thanks @vincent, this has been very helpful.

I got totally confused with the different resources like credentials, apiKeys, passwords and registrationTokens.

What I’ve learned so far: Instead of interacting with the credentials resource API, better deal with the more specific and therefore higher level API resources mentioned above.

Am I right or still on the wrong path?

They are “subclasses” of credential, so yes generally you would want to work with the specific type.

1 Like

@vincent Need to bother you with more questions regarding the semantics of user handling - need more clarification:

  • What is the meaning of the identity resource? As I understood it, its the link between external auth provider like OpenLDAP or Github or whatever and the local configured accounts. So we have transitional data here which is only valid as long as an account has been authenticated via this external auth provider? I could not find any database manifestation of this resource. Where is this data maintained?

  • While creating a project I can also feed the API with the list of members of this project. I need to specify the role and the externalId. What is the externalId referring to? With local authentication enabled, the externalId seems to refer the local account id, but with OpenLDAP authentication enabled the exernalId referring to the Distinguish Name of the user object in the LDAP tree which is only resolvable via the identity resource. So question is, where is this foreign key relationship pointing to?

  • What are projectmember used for? Naturally this thinking brought me to the projectmember resource. This would enable me to separate the tasks of creating an project and adding member to it. But if I create an project manually via the UI (where its called environment) and add member to it, they do not appear in the projectmember resource. What am I missing here? Is this a legacy leftover or created for future use?

Sorry for being that verbose, but I am trying to write a deployment mechanism for Ansible which deploys Rancher/Cattle with basic configuration like authentication, user handling, environment handling and agent auto-registration. And I got stuck in making sense out of my observations. My questions aim at being able to generically process these resources.


@vincent Ok, let me condense these questions into just a single one: How do I add project members to already created projects under different authentication provider (local auth, LDAP) via API?


Sorry, missed this…

Identities are the way you interact with the users/groups/orgs/teams/whatever that the auth provider has available. The data comes from the auth provider and is not saved in the database (except for localauth, where we are the provider too).

externalId and externalIdType are, as far as you should be concerned, opaque strings that come from the auth provider and identify a specific resource. They’re “external”, not “foreign”, because we are not the authority for who a person is or what users are part of a group, etc. It’s pointing to an entry in the external provider, encoded in whatever way makes sense to them (for LDAP it’s the entry’s DN, for GitHub the account’s user_id, etc)

The members array on a project is the list of identities that can use that project. To change it you use the setmembers action on the project. I’m guessing you’re looking at /v1/projectMembers, which isn’t a top-level type that should be actually visible, it’s just the input type for the setmembers action. If you are an admin there are a bunch of irrelevant top-level types that are shown, which will be fixed in an API v2 (along with renaming project->environment and environment->stack, and other things).

1 Like

Hello @vincent,

I have noticed a weird thing (I am on v1.5.2). This command does the job but still the username doesn’t populates in the Accounts page until the user logs in once.