-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply static host users to nodes #46365
Conversation
lib/srv/usermgmt.go
Outdated
return trace.Wrap(err) | ||
} | ||
if hasStaticGroup { | ||
ui.Groups = append(ui.Groups, types.TeleportStaticGroup) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is the same path as non-static host user creation, this means a static user's group assignments can be modified if you have a role that allows logging in as that user. Is that something that we should allow? It seems like you might want a static user to always have a particular set of groups assigned, regardless of whether or not a user starts a session against it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely not. Static host users should be 100% distinct from auto user creation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Groups will only be updated if both the existing user and mode are static. I think the shared keep mode was obscuring that, it should be clearer now with the internal enum.
lib/srv/statichostusers.go
Outdated
retry, err := retryutils.NewLinear(retryutils.LinearConfig{ | ||
Step: 100 * time.Millisecond, | ||
Max: time.Second, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should mimic the linear config specified by other resource watchers: https://github.com/gravitational/teleport/blob/master/lib/services/watcher.go#L138-L144.
0e7ae5b
to
ae23f42
Compare
ae23f42
to
5914aab
Compare
This change adds functionality to create host users on a node from matching static host user resources.
5914aab
to
87e95ec
Compare
This change adds functionality to create host users on a node from matching static host user resources.
Part of #42712.
Changelog: Added user provisioning from static host user resources