Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove expirations for managed users #47774

Merged
merged 1 commit into from
Oct 30, 2024
Merged

Remove expirations for managed users #47774

merged 1 commit into from
Oct 30, 2024

Conversation

eriktate
Copy link
Contributor

@eriktate eriktate commented Oct 21, 2024
edited
Loading

This PR attempts to remove any password or account expirations from host users managed by Teleport. This will happen during new user creation and when resolving updates against existing managed users. It will not remove expirations from unmanaged users (test coverage for this coming soon). These changes are meant to prevent password expiration warnings, and eventual account disabling, caused by local password policies on some hosts.

changelog: Updated host user creation to prevent local password expiration policies from affecting Teleport managed users.

rosstimothy
rosstimothy reviewed Oct 22, 2024
View reviewed changes
integration/hostuser_test.go Show resolved Hide resolved
lib/utils/host/hostusers.go Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
lib/utils/host/hostusers.go Show resolved Hide resolved
lib/utils/host/hostusers.go
@@ -195,6 +195,63 @@ func GetAllUsers() ([]string, int, error) {
return users, -1, nil
}

func UserHasExpirations(username string) (bool bool, exitCode int, err error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this is following the pattern of other functions in this file of returning an exit code when shelling out to an external binary. However, I wonder if that makes sense from an API perspective. These functions don't expose to users which binaries were being invoked, and are instead meant to abstract away the fact that some other binary is being used. By returning the exit code, we leak that information to callers, without giving them much insight into what the values of the exit codes might mean.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I agree that the exit codes aren't especially useful for any of these functions. I'll submit a separate PR updating utils/host/hostusers.go that removes exit codes from the return types

lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47774.d3pp5qlev8mo18.amplifyapp.com

rosstimothy
rosstimothy reviewed Oct 23, 2024
View reviewed changes
integration/hostuser_test.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
rosstimothy
rosstimothy reviewed Oct 24, 2024
View reviewed changes
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
@eriktate eriktate force-pushed the eriktate/host-user-password-expiration branch from 8f1db91 to 47df5bb Compare October 25, 2024 19:57
@eriktate
Copy link
Contributor Author

@Joerger @strideynet friendly bump 😄

@eriktate
Copy link
Contributor Author

@Joerger @strideynet Sending another nudge

strideynet
strideynet approved these changes Oct 30, 2024
View reviewed changes
lib/utils/host/hostusers.go Show resolved Hide resolved
lib/utils/host/hostusers.go Outdated Show resolved Hide resolved
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from Joerger October 30, 2024 13:17
@eriktate
adding an ending step to host user upsert that removes any expiration…
d435e8a 
…s or password locks for managed teleport users
@eriktate eriktate force-pushed the eriktate/host-user-password-expiration branch from 47df5bb to d435e8a Compare October 30, 2024 14:43
@eriktate eriktate added this pull request to the merge queue Oct 30, 2024
Merged via the queue into master with commit 489bebd Oct 30, 2024
40 checks passed
@eriktate eriktate deleted the eriktate/host-user-password-expiration branch October 30, 2024 15:23
@public-teleport-github-review-bot
Copy link

@eriktate See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Failed
branch/v16 Failed
branch/v17 Create PR

This was referenced Oct 30, 2024
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@strideynet strideynet strideynet approved these changes

Assignees
No one assigned
Labels
backport/branch/v14 backport/branch/v15 backport/branch/v16 backport/branch/v17 size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eriktate @strideynet @rosstimothy