X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b9ba9292c7eaa09ccbbcef3ecaaf6aa26fbf6e67..75d2e3a89af09906b76315cf4fedc5e012841fcc:/lib/config/config.default.yml?ds=sidebyside

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 0fb4a2babd..49d62e2980 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -412,6 +412,48 @@ Clusters:
       # Use 0 to disable activity logging.
       ActivityLoggingPeriod: 24h
 
+      # The SyncUser* options control what system resources are managed by
+      # arvados-login-sync on shell nodes. They correspond to:
+      # * SyncUserAccounts: The user's Unix account on the shell node
+      # * SyncUserGroups: The group memberships of that account
+      # * SyncUserSSHKeys: Whether to authorize the user's Arvados SSH keys
+      # * SyncUserAPITokens: Whether to set up the user's Arvados API token
+      # All default to true.
+      SyncUserAccounts: true
+      SyncUserGroups: true
+      SyncUserSSHKeys: true
+      SyncUserAPITokens: true
+
+      # If SyncUserGroups=true, then arvados-login-sync will ensure that all
+      # managed accounts are members of the Unix groups listed in
+      # SyncRequiredGroups, in addition to any groups listed in their Arvados
+      # login permission. The default list includes the "fuse" group so
+      # users can use arv-mount. You can require no groups by specifying an
+      # empty list (i.e., `SyncRequiredGroups: []`).
+      SyncRequiredGroups:
+        - fuse
+
+      # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+      # never modify these groups. If user login permissions list any groups
+      # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+      # belongs to any of these groups, arvados-login-sync will not remove
+      # the account from that group. The default is a set of particularly
+      # security-sensitive groups across Debian- and Red Hat-based
+      # distributions.
+      SyncIgnoredGroups:
+        - adm
+        - disk
+        - kmem
+        - mem
+        - root
+        - shadow
+        - staff
+        - sudo
+        - sys
+        - utempter
+        - utmp
+        - wheel
+
     AuditLogs:
       # Time to keep audit logs, in seconds. (An audit log is a row added
       # to the "logs" table in the PostgreSQL database each time an