Offering Users and Async User Creation
The Waldur Site Agent provides robust support for managing offering users with asynchronous username generation and state management. This system enables non-blocking user processing and supports complex username generation scenarios through a pluggable backend architecture.
Overview
Offering users represent the relationship between Waldur users and marketplace offerings. The agent handles username generation, state transitions, and integration with backend systems to ensure users can access provisioned resources.
Async User Creation Workflow
State Machine
The async user creation follows a state-based workflow that prevents blocking operations:
stateDiagram-v2
[*] --> REQUESTED : User requests access
REQUESTED --> CREATING : Begin username generation
CREATING --> OK : Username successfully created
CREATING --> PENDING_ACCOUNT_LINKING : Manual linking required
CREATING --> PENDING_ADDITIONAL_VALIDATION : Additional validation needed
PENDING_ACCOUNT_LINKING --> OK : Username generation succeeds on retry
PENDING_ADDITIONAL_VALIDATION --> OK : Username generation succeeds on retry
OK --> [*] : User ready for resource access
State Descriptions
- REQUESTED: Initial state when user requests access to an offering
- CREATING: Transitional state during username generation process
- OK: Username successfully generated and user is ready for resource access
- PENDING_ACCOUNT_LINKING: Manual intervention required to link user accounts
- PENDING_ADDITIONAL_VALIDATION: Additional validation steps needed before proceeding
Core Components
Main Functions
sync_offering_users()
Entry point function that processes all offering users across configured offerings.
Usage:
1 |
|
Behavior:
- Iterates through all configured offerings
- Retrieves offering users from Waldur API
- Delegates processing to
update_offering_users()
update_offering_users()
Core processing function that handles username generation and state transitions.
Process:
1. Early validation checks (empty users list, username generation policy)
2. Username management backend validation (skips if UnknownUsernameManagementBackend)
3. Efficient user grouping by state (single pass through users)
4. Processes users in REQUESTED state via _process_requested_users()
5. Handles users in pending states via _process_pending_users()
6. Manages state transitions and centralized error handling
New Architecture: The function has been refactored into focused sub-functions:
- _can_generate_usernames()
: Policy validation
- _group_users_by_state()
: Efficient user categorization
- _process_requested_users()
: Handle new username requests
- _process_pending_users()
: Process retry scenarios
- _update_user_username()
: Individual user processing
- _handle_account_linking_error()
: Account linking error management
- _handle_validation_error()
: Validation error management
Username Management Backend System
The agent uses a pluggable backend architecture for username generation, allowing custom implementations for different identity providers and naming conventions.
Backend Validation
The system now includes early validation to skip processing when no valid username management backend is available:
- UnknownUsernameManagementBackend: Fallback backend that returns empty usernames
- Early Exit: Processing is skipped if
UnknownUsernameManagementBackend
is detected - Performance Optimization: Prevents unnecessary API calls when username generation isn't possible
Base Abstract Class
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
|
Plugin Registration
Register your backend via entry points in pyproject.toml
:
1 2 |
|
Built-in Backends
- base: Basic username management backend (plugins/basic_username_management/)
- UnknownUsernameManagementBackend: Fallback backend when configuration is missing or invalid
- Returns empty usernames for all requests
- Triggers early exit from processing to improve performance
- Used automatically when
username_management_backend
is not properly configured
Configuration
Offering Configuration
Configure username management per offering in your agent configuration:
1 2 3 4 5 6 7 8 9 |
|
Prerequisites
- Service Provider Username Generation: The offering must be configured
with
username_generation_policy = SERVICE_PROVIDER
in Waldur - Backend Plugin: Appropriate username management backend must be installed and configured
- Permissions: API token must have permissions to manage offering users
Integration with Order Processing
The async user creation system is seamlessly integrated with the agent's order processing workflows:
Automatic Processing
Username generation is automatically triggered during: - Resource creation orders - User addition to existing resources - Membership synchronization operations
Implementation in Processors
The OfferingBaseProcessor
class provides _update_offering_users()
method that:
- Calls username generation for users with blank usernames
- Refreshes offering user data after processing
- Filters users to only include those with valid usernames for resource operations
Example usage in order processing:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
Performance Improvements: - Conditional refresh only when usernames are actually updated - Early validation prevents unnecessary processing - Efficient user state grouping reduces multiple iterations - Backend validation prevents wasted API calls
Error Handling
Exception Types
The system defines specific exceptions for different error scenarios:
OfferingUserAccountLinkingRequiredError
: Raised when manual account linking is requiredOfferingUserAdditionalValidationRequiredError
: Raised when additional validation steps are needed
Both exceptions support an optional comment_url
parameter to provide links to forms, documentation, or
other resources needed for error resolution.
Error Recovery
When exceptions occur: 1. User state transitions to appropriate pending state 2. Error details are logged with context 3. Comment field is updated with error message and comment_url field with any provided URL 4. Processing continues for other users 5. Pending users are retried in subsequent runs
Best Practices
Username Backend Implementation
- Idempotent Operations: Ensure
get_or_create_username()
can be called multiple times safely - Error Handling: Raise appropriate exceptions for recoverable errors
- Logging: Include detailed logging for troubleshooting
- Validation: Validate generated usernames meet backend system requirements
- Performance Considerations: Implement efficient lookup mechanisms to avoid blocking operations
- Backend Validation: Return empty strings when username generation is not supported
Deployment Considerations
- Regular Sync: Run
waldur_sync_offering_users
regularly via cron or systemd timer - Monitoring: Monitor pending user states for manual intervention needs
- Backup Strategy: Consider username mapping backup for disaster recovery
- Testing: Test username generation logic thoroughly before production deployment
- Backend Configuration: Ensure proper
username_management_backend
configuration to avoid UnknownUsernameManagementBackend fallback - Performance Tuning: Monitor processing times and adjust batch sizes if needed
- Error Recovery: Set up alerting for persistent pending states that may require manual intervention
Troubleshooting
Diagnostic Commands
1 2 3 4 5 6 7 8 9 |
|