Browse Source

[Bug 404183] Add user purge option to uamlite

purge_expired_users option was added to uamlite chart to allow purging of old
user accounts and the data in their home directories.

Addressed a corner case where the user could lose system access by specifying
ssh key(s) only for the built-in account.

Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6
Craig Anderson 1 year ago
parent
commit
e9d71dedb0
3 changed files with 59 additions and 9 deletions
  1. 18
    4
      divingbell/templates/bin/_uamlite.sh.tpl
  2. 31
    5
      divingbell/tools/gate/test.sh
  3. 10
    0
      docs/source/index.rst

+ 18
- 4
divingbell/templates/bin/_uamlite.sh.tpl View File

@@ -95,12 +95,20 @@ add_sshkeys(){
95 95
         (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
96 96
       log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
97 97
     fi
98
-    custom_sshkeys_present=true
98
+
99
+    # In the event that the user specifies ssh keys for the built-in account and
100
+    # no others, do not expire the built-in account
101
+    if [ "${user_name}" != "${builtin_acct}" ]; then
102
+      expire_builtin_acct=true
103
+    fi
99 104
   fi
100 105
 
101 106
 }
102 107
 
103 108
 {{- if hasKey .Values.conf "uamlite" }}
109
+{{- if hasKey .Values.conf.uamlite "purge_expired_users" }}
110
+purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }}
111
+{{- end }}
104 112
 {{- if hasKey .Values.conf.uamlite "users" }}
105 113
 {{- range $item := .Values.conf.uamlite.users }}
106 114
   {{- range $key, $value := . }}
@@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then
126 134
   IFS=$'\n'
127 135
   for user in ${revert_list}; do
128 136
     # We expire rather than delete the user to maintain local UID FS consistency
129
-    usermod --expiredate 1 ${user}
130
-    log.INFO "User '${user}' has been disabled (expired)"
137
+    # unless purge is explicity requested (remove user and user home dir).
138
+    if [ "${purge_expired_users}" = "true" ]; then
139
+      deluser ${user} --remove-home
140
+      log.INFO "User '${user}' and home directory have been purged."
141
+    else
142
+      usermod --expiredate 1 ${user}
143
+      log.INFO "User '${user}' has been disabled (expired)"
144
+    fi
131 145
   done
132 146
   unset IFS
133 147
 fi
@@ -149,7 +163,7 @@ fi
149 163
 if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
150 164
   # Disable built-in account as long as there was at least one account defined
151 165
   # in this chart with a ssh key present
152
-  if [ "${custom_sshkeys_present}" = "true" ]; then
166
+  if [ "${expire_builtin_acct}" = "true" ]; then
153 167
     if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
154 168
           tr -d '[:space:]')" = "never" ]; then
155 169
       usermod --expiredate 1 ${builtin_acct}

+ 31
- 5
divingbell/tools/gate/test.sh View File

@@ -511,11 +511,24 @@ _test_user_enabled(){
511 511
     test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
512 512
             tr -d '[:space:]')" = "never"
513 513
   else
514
-    # If the user exists, verify it's not non-expiring
515
-    if [ -n "$(getent passwd $username)" ]; then
516
-      test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
517
-              tr -d '[:space:]')" != "never"
518
-    fi
514
+    # Verify user is not non-expiring
515
+    getent passwd $username >& /dev/null
516
+    test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
517
+            tr -d '[:space:]')" != "never"
518
+  fi
519
+}
520
+
521
+_test_user_purged(){
522
+  username=$1
523
+
524
+  # Verify user is no longer defined
525
+  getent passwd $username >& /dev/null && \
526
+    echo "Error: User '$username' exists, but was expected it to be purged" && \
527
+    return 1
528
+
529
+  if [ -d /home/$username ]; then
530
+    echo "Error: User '$username' home dir exists; expected it to be purged"
531
+    return 1
519 532
   fi
520 533
 }
521 534
 
@@ -631,6 +644,19 @@ test_uamlite(){
631 644
   _test_user_enabled ${USERNAME4} false
632 645
   _test_sudo_enabled ${USERNAME4} false
633 646
   echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
647
+
648
+  # Test purge users flag
649
+  overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml
650
+  echo "conf:
651
+  uamlite:
652
+    purge_expired_users: true" > "${overrides_yaml}"
653
+  install_base "--values=${overrides_yaml}"
654
+  get_container_status uamlite
655
+  _test_user_purged ${USERNAME1}
656
+  _test_user_purged ${USERNAME2}
657
+  _test_user_purged ${USERNAME3}
658
+  _test_user_purged ${USERNAME4}
659
+  echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}"
634 660
 }
635 661
 
636 662
 # test daemonset value overrides for hosts and labels

+ 10
- 0
docs/source/index.rst View File

@@ -120,6 +120,7 @@ access. Ex::
120 120
 
121 121
     conf:
122 122
       uamlite:
123
+        purge_expired_users: false
123 124
         users:
124 125
         - user_name: testuser
125 126
           user_sudo: True
@@ -127,6 +128,15 @@ access. Ex::
127 128
           - ssh-rsa AAAAB3N... key1-comment
128 129
           - ssh-rsa AAAAVY6... key2-comment
129 130
 
131
+An update to the chart with revmoed users will result in those user's accounts
132
+being expired, preventing those users any access through those accounts. This
133
+does not delete their home directory or any other files, and provides UID
134
+consistency in the event the same account gets re-added later, and they regain
135
+access to their files again.
136
+
137
+However, if it is desired to purge expired and removed accounts and their home
138
+directories, this may be done by the ``purge_expired_users`` option to ``true``.
139
+
130 140
 Node specific configurations
131 141
 ----------------------------
132 142
 

Loading…
Cancel
Save