RFD - Static host users #43666
RFD - Static host users #43666
Conversation
atburke
added
the
no-changelog
atburke
force-pushed
the
rfd/0175-static-host-users
branch
from
44e4edf to
4ca25f9
Compare
atburke
force-pushed
the
rfd/0175-static-host-users
branch
from
4ca25f9 to
4dbbb96
Compare
rfd/0175-static-host-users.md
Outdated
| via `static_host_user`s. To that end, all host users created from `static_host_user`s | ||
| will be in the `teleport-created` group (similar to the `teleport-system` group, which | ||
| we currently use to mark users that Teleport should clean up). Teleport will not | ||
| delete users not in `teleport-created`, and new users will not override existing users | ||
| that are not in `teleport-created`. |
There was a problem hiding this comment.
What about existing, potentially ephemeral users in teleport-system? Will they be adopted into teleport-created? If so we'd have to be careful about what happens right around the Teleport upgrade that introduces this feature, if the cluster is already configured for it. I think that we could make the case that if the user is not ephemeral then there's no real reason to override it - and if it is ephemeral, it will eventually get cleaned up by not having a session and then the static configuration can kick in "naturally".
There was a problem hiding this comment.
No, they won't be adopted. All users in teleport-system are ephemeral, so conflicts will be resolved after a session ends just as you described. In any case, I've renamed teleport-created to teleport-static to make it clearer that it's for marking static users, not all Teleport-created users.
| string uid = 4; | ||
| string gid = 5; |
There was a problem hiding this comment.
They're strings here because they're strings in user traits, and I wanted to keep them the same.
public-teleport-github-review-bot
bot
removed request for
lxea,
strideynet and
capnspacehook
This change adds an RFD for static host users. These are just like the users we provision for host user creation except they are provisioned ahead of time instead of when a user connects to a node.
Related: #42712.