ubuntu
Support specifying extra groups in broker config file
There is a use case where administrators want to automatically add authd users to a list of local groups when they connect. For the Entra ID broker, that's supported by adding the users to a linux-{group} group in Entra, but for the Google IAM broker that's currently not supported.
We could support an option in the broker's config file for that, for example:
[users]
## A comma-separated list of local groups which authd users will be
## added to upon login.
#extra_groups = users
We could also support another option to specify groups which only the owner is added to:
## Like 'extra_groups', but only the owner will be added to these groups.
#owner_extra_groups = sudo,lpadmin
Refs:
- https://github.com/ubuntu/authd/discussions/784
- https://github.com/canonical/canonical-laptops/issues/107
This functionality will also be useful for Entra ID. The main difference is that when adding to the admin group via Entra ID, the user gets this access on all devices, but if you give local admin access via the configuration file, the user will get this access only on a specific device.
What about having per-user configuration too?
I mean something like:
[users]
## A comma-separated list of local groups which authd users will be
## added to upon login.
#extra_groups = users
## Per user overrides:
[user:[email protected]]
extra_groups = bar
exclude_groups = users
## Special owner case
[user:OWNER]
extra_groups = sudo,adm
## Maybe to consider:
[users:*@specific-domain.com]
ssh_allowed = false
extra_groups = localonly
So this can be used for usernames mapping too, if we need in future.
What about having per-user configuration too?
FTR, we (@3v1n0 and I) discussed this is in a HO and agreed to go with the simpler setting in the users section for now, potentially coming back to the per-user settings if users request that feature.