From e9d71dedb082d04431991b77f63ac2a60790f7ef Mon Sep 17 00:00:00 2001 From: Craig Anderson Date: Tue, 10 Apr 2018 01:20:11 +0000 Subject: [PATCH] [Bug 404183] Add user purge option to uamlite purge_expired_users option was added to uamlite chart to allow purging of old user accounts and the data in their home directories. Addressed a corner case where the user could lose system access by specifying ssh key(s) only for the built-in account. Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6 --- divingbell/templates/bin/_uamlite.sh.tpl | 22 ++++++++++++--- divingbell/tools/gate/test.sh | 36 ++++++++++++++++++++---- docs/source/index.rst | 10 +++++++ 3 files changed, 59 insertions(+), 9 deletions(-) diff --git a/divingbell/templates/bin/_uamlite.sh.tpl b/divingbell/templates/bin/_uamlite.sh.tpl index 8ec9e8a..53a8e61 100644 --- a/divingbell/templates/bin/_uamlite.sh.tpl +++ b/divingbell/templates/bin/_uamlite.sh.tpl @@ -95,12 +95,20 @@ add_sshkeys(){ (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}") log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}" fi - custom_sshkeys_present=true + + # In the event that the user specifies ssh keys for the built-in account and + # no others, do not expire the built-in account + if [ "${user_name}" != "${builtin_acct}" ]; then + expire_builtin_acct=true + fi fi } {{- if hasKey .Values.conf "uamlite" }} +{{- if hasKey .Values.conf.uamlite "purge_expired_users" }} +purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }} +{{- end }} {{- if hasKey .Values.conf.uamlite "users" }} {{- range $item := .Values.conf.uamlite.users }} {{- range $key, $value := . }} @@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then IFS=$'\n' for user in ${revert_list}; do # We expire rather than delete the user to maintain local UID FS consistency - usermod --expiredate 1 ${user} - log.INFO "User '${user}' has been disabled (expired)" + # unless purge is explicity requested (remove user and user home dir). + if [ "${purge_expired_users}" = "true" ]; then + deluser ${user} --remove-home + log.INFO "User '${user}' and home directory have been purged." + else + usermod --expiredate 1 ${user} + log.INFO "User '${user}' has been disabled (expired)" + fi done unset IFS fi @@ -149,7 +163,7 @@ fi if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then # Disable built-in account as long as there was at least one account defined # in this chart with a ssh key present - if [ "${custom_sshkeys_present}" = "true" ]; then + if [ "${expire_builtin_acct}" = "true" ]; then if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 | tr -d '[:space:]')" = "never" ]; then usermod --expiredate 1 ${builtin_acct} diff --git a/divingbell/tools/gate/test.sh b/divingbell/tools/gate/test.sh index 5f6f2a3..f7e73ae 100755 --- a/divingbell/tools/gate/test.sh +++ b/divingbell/tools/gate/test.sh @@ -511,11 +511,24 @@ _test_user_enabled(){ test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 | tr -d '[:space:]')" = "never" else - # If the user exists, verify it's not non-expiring - if [ -n "$(getent passwd $username)" ]; then - test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 | - tr -d '[:space:]')" != "never" - fi + # Verify user is not non-expiring + getent passwd $username >& /dev/null + test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 | + tr -d '[:space:]')" != "never" + fi +} + +_test_user_purged(){ + username=$1 + + # Verify user is no longer defined + getent passwd $username >& /dev/null && \ + echo "Error: User '$username' exists, but was expected it to be purged" && \ + return 1 + + if [ -d /home/$username ]; then + echo "Error: User '$username' home dir exists; expected it to be purged" + return 1 fi } @@ -631,6 +644,19 @@ test_uamlite(){ _test_user_enabled ${USERNAME4} false _test_sudo_enabled ${USERNAME4} false echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}" + + # Test purge users flag + overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml + echo "conf: + uamlite: + purge_expired_users: true" > "${overrides_yaml}" + install_base "--values=${overrides_yaml}" + get_container_status uamlite + _test_user_purged ${USERNAME1} + _test_user_purged ${USERNAME2} + _test_user_purged ${USERNAME3} + _test_user_purged ${USERNAME4} + echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}" } # test daemonset value overrides for hosts and labels diff --git a/docs/source/index.rst b/docs/source/index.rst index 2af7f0e..4a4e244 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -120,6 +120,7 @@ access. Ex:: conf: uamlite: + purge_expired_users: false users: - user_name: testuser user_sudo: True @@ -127,6 +128,15 @@ access. Ex:: - ssh-rsa AAAAB3N... key1-comment - ssh-rsa AAAAVY6... key2-comment +An update to the chart with revmoed users will result in those user's accounts +being expired, preventing those users any access through those accounts. This +does not delete their home directory or any other files, and provides UID +consistency in the event the same account gets re-added later, and they regain +access to their files again. + +However, if it is desired to purge expired and removed accounts and their home +directories, this may be done by the ``purge_expired_users`` option to ``true``. + Node specific configurations ----------------------------