Extra groups or removed users don't get synced

[bcorijn]

trafficstars

Hi,

I've been trying to deploy your application through the provided helm chart, but while it created all the users in my GitHub team on first run, they never get added to the groups I supplied afterwards (as I forgot on first deploy). Upon deletion of the chart, the application seems to remove the ssh keys, but it leaves the users around. This has as affect that users get left behind on the system of course, but also that upon the next sync/start it finds the user and does not do a full sync of the groups.

[osterman]

I've been trying to deploy your application through the provided helm chart, but while it created all the users in my GitHub team on first run, they never get added to the groups I supplied afterwards (as I forgot on first deploy).

Hrm... I'll need to look into this. That should work.

Upon deletion of the chart, the application seems to remove the ssh keys, but it leaves the users around.

This is by design. We don't remove accounts since users might be added/revoked with regularity. For example, added when they are on-call, and revoked when they are off duty. Also, admins might want to audit accounts after having deactivate them.

application seems to remove the ssh keys

Keys are pulled in real-time from the GitHub API. This is what allows for immediate revocation.

This has as affect that users get left behind on the system of course, but also that upon the next sync/start it finds the user and does not do a full sync of the groups.

Yes, this is you're right - this may be an edge case we do not consider. @goruha would this be easy to address?

[bcorijn]

Leaving the users behind is not a huge deal, especially if by design. Out of curiosity however, when is the LINUX_USER_DEL_TPL then used? I see from the container logs that the groups are picked up by the agent, but the sync job itself not pick up on any changes and the users don't have the sudo group, so it seems they are fixed on the groups they were initially created with.

{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubAPIToken - c71e4******************************","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubOrganization - *******","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamName - ***","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamID - *","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdEndpoints - []","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdPrefix - /github-authorized-keys","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdTTL - 24h0m0s seconds","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGID - ","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGroups - [sudo]","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserShell - /bin/bash","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Root - /host","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Interval - 300 seconds","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: IntegrateWithSSH - true","time":"2017-07-17T09:57:06Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Listen - :301","time":"2017-07-17T09:57:06Z"}
{"level":"info","msg":"Run syncUsers job on start","time":"2017-07-17T09:57:06Z"}
{"level":"info","msg":"Run ssh integration job on start","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure file /usr/bin/github-authorized-keys","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure exec mode for file /usr/bin/github-authorized-keys","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure AuthorizedKeysCommand line in sshd_config","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure AuthorizedKeysCommandUser line in sshd_config","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Restart ssh","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"job":"sshIntegrate","level":"info","msg":"Output: ","subsystem":"jobs","time":"2017-07-17T09:57:06Z"}
{"level":"info","msg":"Start jobs scheduler","time":"2017-07-17T09:57:06Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)
 [GIN-debug] GET    /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301

[goruha]

@bcorijn About sync user groups after user had been created - that is true - we do not have such feature. This is easy to add. I'm going to put that to our backlog. But if you going to use this tool and it blocks you, we can set high priority to that feature, and will fix to the end of this week.

[aknysh]

@goruha any update on this. should we close the issue?

[goruha]

@aknysh No. Let it be open. I will fix when will have free time

[a-nldisr]

When you add non existent groups (by mistake), the user gets created but the groups never get added.

[a-nldisr]

Is this repo still maintained?