summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCraig Anderson <craig.anderson@att.com>2018-04-10 01:20:11 +0000
committerCraig Anderson <craig.anderson@att.com>2018-04-17 16:36:13 +0000
commite9d71dedb082d04431991b77f63ac2a60790f7ef (patch)
tree895e8470bffe5790c1835ef6c1f73ee5896d517c
parent73e7437b9bbecbcdd006b8ee33460843d2baa593 (diff)
[Bug 404183] Add user purge option to uamlite
purge_expired_users option was added to uamlite chart to allow purging of old user accounts and the data in their home directories. Addressed a corner case where the user could lose system access by specifying ssh key(s) only for the built-in account. Change-Id: Iccfc914eea219521a290c2b5949ccc2d40d8dbb6
-rw-r--r--divingbell/templates/bin/_uamlite.sh.tpl22
-rwxr-xr-xdivingbell/tools/gate/test.sh36
-rw-r--r--docs/source/index.rst10
3 files changed, 59 insertions, 9 deletions
diff --git a/divingbell/templates/bin/_uamlite.sh.tpl b/divingbell/templates/bin/_uamlite.sh.tpl
index 8ec9e8a..53a8e61 100644
--- a/divingbell/templates/bin/_uamlite.sh.tpl
+++ b/divingbell/templates/bin/_uamlite.sh.tpl
@@ -95,12 +95,20 @@ add_sshkeys(){
95 (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}") 95 (rm "${sshkey_file}" && die "Error setting ownership on ${sshkey_dir}")
96 log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}" 96 log.INFO "User '${user_name}' has had SSH keys deployed: ${user_sshkeys}"
97 fi 97 fi
98 custom_sshkeys_present=true 98
99 # In the event that the user specifies ssh keys for the built-in account and
100 # no others, do not expire the built-in account
101 if [ "${user_name}" != "${builtin_acct}" ]; then
102 expire_builtin_acct=true
103 fi
99 fi 104 fi
100 105
101} 106}
102 107
103{{- if hasKey .Values.conf "uamlite" }} 108{{- if hasKey .Values.conf "uamlite" }}
109{{- if hasKey .Values.conf.uamlite "purge_expired_users" }}
110purge_expired_users={{ .Values.conf.uamlite.purge_expired_users | quote }}
111{{- end }}
104{{- if hasKey .Values.conf.uamlite "users" }} 112{{- if hasKey .Values.conf.uamlite "users" }}
105{{- range $item := .Values.conf.uamlite.users }} 113{{- range $item := .Values.conf.uamlite.users }}
106 {{- range $key, $value := . }} 114 {{- range $key, $value := . }}
@@ -126,8 +134,14 @@ if [ -n "$(getent passwd | grep ${keyword} | cut -d':' -f1)" ]; then
126 IFS=$'\n' 134 IFS=$'\n'
127 for user in ${revert_list}; do 135 for user in ${revert_list}; do
128 # We expire rather than delete the user to maintain local UID FS consistency 136 # We expire rather than delete the user to maintain local UID FS consistency
129 usermod --expiredate 1 ${user} 137 # unless purge is explicity requested (remove user and user home dir).
130 log.INFO "User '${user}' has been disabled (expired)" 138 if [ "${purge_expired_users}" = "true" ]; then
139 deluser ${user} --remove-home
140 log.INFO "User '${user}' and home directory have been purged."
141 else
142 usermod --expiredate 1 ${user}
143 log.INFO "User '${user}' has been disabled (expired)"
144 fi
131 done 145 done
132 unset IFS 146 unset IFS
133fi 147fi
@@ -149,7 +163,7 @@ fi
149if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then 163if [ -n "${builtin_acct}" ] && [ -n "$(getent passwd ${builtin_acct})" ]; then
150 # Disable built-in account as long as there was at least one account defined 164 # Disable built-in account as long as there was at least one account defined
151 # in this chart with a ssh key present 165 # in this chart with a ssh key present
152 if [ "${custom_sshkeys_present}" = "true" ]; then 166 if [ "${expire_builtin_acct}" = "true" ]; then
153 if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 | 167 if [ "$(chage -l ${builtin_acct} | grep 'Account expires' | cut -d':' -f2 |
154 tr -d '[:space:]')" = "never" ]; then 168 tr -d '[:space:]')" = "never" ]; then
155 usermod --expiredate 1 ${builtin_acct} 169 usermod --expiredate 1 ${builtin_acct}
diff --git a/divingbell/tools/gate/test.sh b/divingbell/tools/gate/test.sh
index 5f6f2a3..f7e73ae 100755
--- a/divingbell/tools/gate/test.sh
+++ b/divingbell/tools/gate/test.sh
@@ -511,11 +511,24 @@ _test_user_enabled(){
511 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 | 511 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
512 tr -d '[:space:]')" = "never" 512 tr -d '[:space:]')" = "never"
513 else 513 else
514 # If the user exists, verify it's not non-expiring 514 # Verify user is not non-expiring
515 if [ -n "$(getent passwd $username)" ]; then 515 getent passwd $username >& /dev/null
516 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 | 516 test "$(chage -l ${username} | grep 'Account expires' | cut -d':' -f2 |
517 tr -d '[:space:]')" != "never" 517 tr -d '[:space:]')" != "never"
518 fi 518 fi
519}
520
521_test_user_purged(){
522 username=$1
523
524 # Verify user is no longer defined
525 getent passwd $username >& /dev/null && \
526 echo "Error: User '$username' exists, but was expected it to be purged" && \
527 return 1
528
529 if [ -d /home/$username ]; then
530 echo "Error: User '$username' home dir exists; expected it to be purged"
531 return 1
519 fi 532 fi
520} 533}
521 534
@@ -631,6 +644,19 @@ test_uamlite(){
631 _test_user_enabled ${USERNAME4} false 644 _test_user_enabled ${USERNAME4} false
632 _test_sudo_enabled ${USERNAME4} false 645 _test_sudo_enabled ${USERNAME4} false
633 echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}" 646 echo '[SUCCESS] uamlite test3 passed successfully' >> "${TEST_RESULTS}"
647
648 # Test purge users flag
649 overrides_yaml=${LOGS_SUBDIR}/${FUNCNAME}-set3.yaml
650 echo "conf:
651 uamlite:
652 purge_expired_users: true" > "${overrides_yaml}"
653 install_base "--values=${overrides_yaml}"
654 get_container_status uamlite
655 _test_user_purged ${USERNAME1}
656 _test_user_purged ${USERNAME2}
657 _test_user_purged ${USERNAME3}
658 _test_user_purged ${USERNAME4}
659 echo '[SUCCESS] uamlite test4 passed successfully' >> "${TEST_RESULTS}"
634} 660}
635 661
636# test daemonset value overrides for hosts and labels 662# test daemonset value overrides for hosts and labels
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 2af7f0e..4a4e244 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -120,6 +120,7 @@ access. Ex::
120 120
121 conf: 121 conf:
122 uamlite: 122 uamlite:
123 purge_expired_users: false
123 users: 124 users:
124 - user_name: testuser 125 - user_name: testuser
125 user_sudo: True 126 user_sudo: True
@@ -127,6 +128,15 @@ access. Ex::
127 - ssh-rsa AAAAB3N... key1-comment 128 - ssh-rsa AAAAB3N... key1-comment
128 - ssh-rsa AAAAVY6... key2-comment 129 - ssh-rsa AAAAVY6... key2-comment
129 130
131An update to the chart with revmoed users will result in those user's accounts
132being expired, preventing those users any access through those accounts. This
133does not delete their home directory or any other files, and provides UID
134consistency in the event the same account gets re-added later, and they regain
135access to their files again.
136
137However, if it is desired to purge expired and removed accounts and their home
138directories, this may be done by the ``purge_expired_users`` option to ``true``.
139
130Node specific configurations 140Node specific configurations
131---------------------------- 141----------------------------
132 142