SyncRequiredGroups:
- fuse
+ # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+ # never modify these groups. If user login permissions list any groups
+ # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+ # belongs to any of these groups, arvados-login-sync will not remove
+ # the account from that group.
+ SyncIgnoredGroups: []
+
AuditLogs:
# Time to keep audit logs, in seconds. (An audit log is a row added
# to the "logs" table in the PostgreSQL database each time an
"Users.NewUsersAreActive": false,
"Users.PreferDomainForUsername": false,
"Users.RoleGroupsVisibleToAll": false,
+ "Users.SyncIgnoredGroups": true,
"Users.SyncRequiredGroups": true,
"Users.SyncUserAccounts": true,
"Users.SyncUserAPITokens": true,
RoleGroupsVisibleToAll bool
CanCreateRoleGroups bool
ActivityLoggingPeriod Duration
+ SyncIgnoredGroups []string
SyncRequiredGroups []string
SyncUserAccounts bool
SyncUserAPITokens bool
arv = Arvados.new({ :suppress_ssl_warnings => false })
logincluster_host = ENV['ARVADOS_API_HOST']
logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+
# Requiring the fuse group was previous hardcoded behavior
minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
+ ignored_groups = arv.cluster_config['Users']['SyncIgnoredGroups'] || []
+ (minimum_groups & ignored_groups).each do |group_name|
+ STDERR.puts "WARNING: #{group_name} is listed in both SyncRequiredGroups and SyncIgnoredGroups. It will be ignored."
+ end
+
actions.each_pair do |key, default|
actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
end
end
if actions[:SyncUserGroups]
- have_groups = current_user_groups[username]
+ have_groups = current_user_groups[username] - ignored_groups
want_groups = l[:groups] || []
want_groups |= minimum_groups
+ want_groups -= ignored_groups
want_groups &= all_groups
(want_groups - have_groups).each do |addgroup|