Skip to content

[patch] Fix initial user creation for 9.1 onwards#377

Merged
whitfiea merged 6 commits into
stablefrom
mascore14554
Jun 9, 2026
Merged

[patch] Fix initial user creation for 9.1 onwards#377
whitfiea merged 6 commits into
stablefrom
mascore14554

Conversation

@tomklapiscak

@tomklapiscak tomklapiscak commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fixes

This PR fixes two different failures seen in Initial users creating against MAS >= 9.1:

An unexpected exception occurred while getting user workspaces for user {userid}

Caused by unnecessary call to /v3/users/{userid}/workspaces Core API - all user creation operations should be performed via calls to the new Manage APIs.

Fixed by removing this unnecessary call when running against MAS >= 9.1

BMXAA10322E - Only API Administrator can create API Administrators.

The job was using MAXADMIN to create a user with apikeyadmin permission set, but MAXADMIN itself does not have apikeyadmin.

Fixed by updating the code to use the MXINTADM user instead.

Other Changes

  • Refactor pre and post 9.1 creation logic into seperate code branches for readability
  • Demote some log messages from INFO to DEBUG

Testing

Unit tests updated

Tested against 9.1.11 and 9.2.0-pre.stable-2897:

Input:

users:
  primary:
    - email: primaryuser@example.com
      given_name: primary
      family_name: user
      id: primaryuser
  secondary:
    - email: secondaryuser@example.com
      given_name: secondary
      family_name: user

9.1.11 Logs

2026-06-08 15:45:34,115   root                                               [MainThread] INFO     Configuration:
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     --------------
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     mas_instance_id:           inst1
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     mas_workspace_id:          main
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     mas_version:               9.1
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     initial_users_yaml_file:   /Users/tom/workspaces/python-devops/initial-users.yaml
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     initial_users_secret_name: None
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     log_level:                 20
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     coreapi_port:              8444
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     admin_dashboard_port:      8445
2026-06-08 15:45:34,115   root                                               [MainThread] INFO     manage_api_port:           8443
2026-06-08 15:45:34,115   root                                               [MainThread] INFO
2026-06-08 15:45:38,707   mas.devops.users.MASUserUtils                      [MainThread] INFO     Waiting for facilities to become ready and available: 600.00 seconds remaining
2026-06-08 15:45:40,073   mas.devops.users.MASUserUtils                      [MainThread] INFO     Waiting for manage to become ready and available: 600.00 seconds remaining
2026-06-08 15:45:43,326   mas.devops.users.MASUserUtils                      [MainThread] INFO     Found 28 security groups in Manage
2026-06-08 15:45:43,328   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:45:43,328   mas.devops.users.MASUserUtils                      [MainThread] INFO     Syncing primary user with email primaryuser@example.com
2026-06-08 15:45:44,848   mas.devops.users.MASUserUtils                      [MainThread] INFO     Creating new Manage API Key for user MXINTADM
2026-06-08 15:45:49,457   mas.devops.users.MASUserUtils                      [MainThread] INFO     Creating new user primaryuser
2026-06-08 15:46:08,829   mas.devops.users.MASUserUtils                      [MainThread] INFO     Linking user primaryuser to local IDP using Manage API (version 9.1)
2026-06-08 15:46:10,666   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully linked user primaryuser to local IDP
2026-06-08 15:46:10,667   mas.devops.users.MASUserUtils                      [MainThread] INFO     Setting group reassignment authorization for resource _UFJJTUFSWVVTRVI- with 28 groups
2026-06-08 15:46:12,673   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully set group reassignment authorization for resource _UFJJTUFSWVVTRVI-
2026-06-08 15:46:12,674   mas.devops.users.MASUserUtils                      [MainThread] INFO     Completed sync of primary user primaryuser@example.com
2026-06-08 15:46:12,674   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:46:12,674   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:46:12,674   mas.devops.users.MASUserUtils                      [MainThread] INFO     Syncing secondary user with email secondaryuser@example.com
2026-06-08 15:46:18,869   mas.devops.users.MASUserUtils                      [MainThread] INFO     Creating new user secondaryuser@example.com
2026-06-08 15:46:38,611   mas.devops.users.MASUserUtils                      [MainThread] INFO     Linking user secondaryuser@example.com to local IDP using Manage API (version 9.1)
2026-06-08 15:46:40,430   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully linked user secondaryuser@example.com to local IDP
2026-06-08 15:46:40,431   mas.devops.users.MASUserUtils                      [MainThread] INFO     Completed sync of secondary user secondaryuser@example.com
2026-06-08 15:46:40,431   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:46:40,432   mas.devops.users.MASUserUtils                      [MainThread] INFO     Deleting Manage API Key for user MXINTADM

9.2.0-pre.stable-2897 Logs

2026-06-08 15:51:57,975   root                                               [MainThread] INFO     Configuration:
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     --------------
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     mas_instance_id:           fvtsaas
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     mas_workspace_id:          masdev
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     mas_version:               9.2
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     initial_users_yaml_file:   /Users/tom/workspaces/python-devops/initial-users.yaml
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     initial_users_secret_name: None
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     log_level:                 20
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     coreapi_port:              8444
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     admin_dashboard_port:      8445
2026-06-08 15:51:57,975   root                                               [MainThread] INFO     manage_api_port:           8443
2026-06-08 15:51:57,975   root                                               [MainThread] INFO
2026-06-08 15:51:59,696   mas.devops.users.MASUserUtils                      [MainThread] INFO     Waiting for manage to become ready and available: 600.00 seconds remaining
2026-06-08 15:52:00,909   mas.devops.users.MASUserUtils                      [MainThread] INFO     Found 93 security groups in Manage
2026-06-08 15:52:00,910   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:52:00,910   mas.devops.users.MASUserUtils                      [MainThread] INFO     Syncing primary user with email primaryuser@example.com
2026-06-08 15:52:03,143   mas.devops.users.MASUserUtils                      [MainThread] INFO     Creating new user primaryuser
2026-06-08 15:52:11,422   mas.devops.users.MASUserUtils                      [MainThread] INFO     Linking user primaryuser to local IDP using Manage API (version 9.2)
2026-06-08 15:52:12,016   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully linked user primaryuser to local IDP
2026-06-08 15:52:12,017   mas.devops.users.MASUserUtils                      [MainThread] INFO     Setting group reassignment authorization for resource _UFJJTUFSWVVTRVI- with 93 groups
2026-06-08 15:52:12,852   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully set group reassignment authorization for resource _UFJJTUFSWVVTRVI-
2026-06-08 15:52:12,853   mas.devops.users.MASUserUtils                      [MainThread] INFO     Completed sync of primary user primaryuser@example.com
2026-06-08 15:52:12,854   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:52:12,854   mas.devops.users.MASUserUtils                      [MainThread] INFO
2026-06-08 15:52:12,854   mas.devops.users.MASUserUtils                      [MainThread] INFO     Syncing secondary user with email secondaryuser@example.com
2026-06-08 15:52:15,026   mas.devops.users.MASUserUtils                      [MainThread] INFO     Creating new user secondaryuser@example.com
2026-06-08 15:52:23,034   mas.devops.users.MASUserUtils                      [MainThread] INFO     Linking user secondaryuser@example.com to local IDP using Manage API (version 9.2)
2026-06-08 15:52:23,610   mas.devops.users.MASUserUtils                      [MainThread] INFO     Successfully linked user secondaryuser@example.com to local IDP
2026-06-08 15:52:23,611   mas.devops.users.MASUserUtils                      [MainThread] INFO     Completed sync of secondary user secondaryuser@example.com
2026-06-08 15:52:23,612   mas.devops.users.MASUserUtils                      [MainThread] INFO

@tomklapiscak
[patch] Refactor initial user creation code
f60372f 
split into separate code paths for pre/post MAS 9.1 for clarity.

removed unnecessary calls to Core API workspace APIs when running against MAS 9.1

https://jsw.ibm.com/browse/MASCORE-14554
@tomklapiscak
Use mxintadm to create users instead of maxadmin
a14bf7a 
maxadmin does not have apikeyadmin rights so cannot grant it to primary users, mxintadm does.
@tomklapiscak
demote log messages to debug
a767a46
@tomklapiscak tomklapiscak requested a review from a team as a code owner June 8, 2026 14:23
@tomklapiscak tomklapiscak marked this pull request as draft June 8, 2026 14:23
@tomklapiscak tomklapiscak marked this pull request as ready for review June 8, 2026 14:56
@tomklapiscak tomklapiscak requested a review from mnivedithaa June 8, 2026 14:57
@whitfiea whitfiea added this pull request to the merge queue Jun 9, 2026
Merged via the queue into stable with commit add8546 Jun 9, 2026
3 checks passed
@whitfiea whitfiea deleted the mascore14554 branch June 9, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whitfiea whitfiea whitfiea approved these changes
@mnivedithaa mnivedithaa mnivedithaa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomklapiscak @whitfiea @mnivedithaa