Skip to content

External User Sync

This example demonstrates how to sync users from an external source to Orion's titan service for workstation launching.

Requirements

  • A running Orion instance
  • Orion API Key
  • titan role assigned to the user running the script
  • External source that provides all the following fields for Users
    • username - POSIX username
    • uid - POSIX user ID
    • email - Email address
  • External source that provides all the following fields for Groups/Roles
    • name - POSIX username
    • guid - POSIX Group ID
    • members - List of its members (usernames, uids, or emails)

Source Data

Since the data source can be anything, we will use a simple JSON file as an example. This data could be pulled from something like Active Directory, LDAP, or any other user management system. Juno internally uses Google Workspace and AWS Cognito for user management and this is how users are synced in for us.

Script

Warning

If you get a requests.exceptions.SSLError you can pass in the verify=False parameter to the request to disable SSL verification.

Data from our external source can look like this: 

user_data = [
    {
        "username": "johndoe",
        "uid": 1050,
        "email": "johndoe@example.com",
    }
]
group_data = [
    {
        "name": "corp_users",
        "guid": 3050,
        "members": [1050]
    }
]

User sync integration script 

import os
import requests

server = os.environ['SERVER']
token = os.environ['TOKEN']

user_map = {}

# create our users first
for user in user_data:
    response = requests.post(
        f"{server}/titan/user",
        headers={"Authorization": f"{token}"},
        # while we know this is kind of silly to do this way, 
        # it is just to show what is required to make the request
        json={
            "username": user["username"],
            "uid": user["uid"],
            "email": user["email"],
        }
    )

    # we know that our groups need the username and not the ID, so to 
    # help minimize looping, we store for later indexing
    user_map[user["uid"]] = user['username']

# titan stores it membership with usernames and not uids, so we need to 
# get the username for each user and then add them to the group
for group in group_data:
    members = []
    for member in group["members"]:
        members.append(user_map[member])  # get the username from the uid

    response = requests.post(
        f"{server}/titan/group",
        headers={"Authorization": f"{token}"},
        json={
            "name": group["name"],
            "guid": group["guid"],
            "members": members
        }
    )

export TOKEN="your-token"export SERVER="https://orion-install"python sync_users.py

This script will create the users and groups in the titan service for Orion. Once the users and groups are created, they will be automatically loaded into the workstations at launch time and membership will be assigned to match your titan configuration.

Verification

We can verify this by checking the titan service for its "state".

export TOKEN="your-token"export SERVER="https://orion-install"curl "$SERVER/titan/state" -H "Accept: application/json" -H "Authorization: $token"{
"users": [
{
"username": "johndoe",
"uid": 1050,
"email": "johndoe@example.com",
"groups": [
{
"name": "corp_users",
"uid": 3050
}
]
}
],
"groups": [
{
"name": "corp_users",
"uid": 3050,
"members": [
{
"username": "johndoe",
"uid": 1050,
"email": "johndoe@example.com",
"groups": [
{
"name": "corp_users",
"uid": 3050
}
]
}
]
}
]
}

We can also run id inside of a workstation terminal and see our new membership and user is set up properly.

iduid=1050(johndoe) gid=1050(johndoe) groups=1050(johndoe),3050(corp_users)