20663: Add IgnoredGroups configuration to arvados-login-sync

author Brett Smith <brett.smith@curii.com>

Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)

committer Brett Smith <brett.smith@curii.com>

Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)
author Brett Smith <brett.smith@curii.com>
Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)
committer Brett Smith <brett.smith@curii.com>
Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml

index 921a53578850f646627c631e29a1e3f22e25937b..6ae98157b92c64d5c7009008e9e423738df2b0a6 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -433,6 +433,13 @@ Clusters:
        SyncRequiredGroups:
          - fuse
  
+      # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+      # never modify these groups. If user login permissions list any groups
+      # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+      # belongs to any of these groups, arvados-login-sync will not remove
+      # the account from that group.
+      SyncIgnoredGroups: []
+
      AuditLogs:
        # Time to keep audit logs, in seconds. (An audit log is a row added
        # to the "logs" table in the PostgreSQL database each time an
diff --git a/lib/config/export.go b/lib/config/export.go

index d51b02d6c35d35b6b73226991b641806dc5e9bba..88c64f69a10cf66d641db65f96a51de8a38c7dfd 100644 (file)
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -247,6 +247,7 @@ var whitelist = map[string]bool{
         "Users.NewUsersAreActive":                             false,
         "Users.PreferDomainForUsername":                       false,
         "Users.RoleGroupsVisibleToAll":                        false,
+       "Users.SyncIgnoredGroups":                             true,
         "Users.SyncRequiredGroups":                            true,
         "Users.SyncUserAccounts":                              true,
         "Users.SyncUserAPITokens":                             true,
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go

index 62dfca45c1933289b0c118a46e269f825a8261ac..c494769977aae37a2d3155cd591e01f3ec80c63a 100644 (file)
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -258,6 +258,7 @@ type Cluster struct {
                 RoleGroupsVisibleToAll                bool
                 CanCreateRoleGroups                   bool
                 ActivityLoggingPeriod                 Duration
+               SyncIgnoredGroups                     []string
                 SyncRequiredGroups                    []string
                 SyncUserAccounts                      bool
                 SyncUserAPITokens                     bool
diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync

index d6c718864b662a60cdb407705ffca18ae313722d..cbe8520a002620e0a1520a1fde08552e6a183a3e 100755 (executable)
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -65,8 +65,14 @@ begin
    arv = Arvados.new({ :suppress_ssl_warnings => false })
    logincluster_host = ENV['ARVADOS_API_HOST']
    logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+
    # Requiring the fuse group was previous hardcoded behavior
    minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
+  ignored_groups = arv.cluster_config['Users']['SyncIgnoredGroups'] || []
+  (minimum_groups & ignored_groups).each do |group_name|
+    STDERR.puts "WARNING: #{group_name} is listed in both SyncRequiredGroups and SyncIgnoredGroups. It will be ignored."
+  end
+
    actions.each_pair do |key, default|
      actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
    end
@@ -185,9 +191,10 @@ begin
      end
  
      if actions[:SyncUserGroups]
-      have_groups = current_user_groups[username]
+      have_groups = current_user_groups[username] - ignored_groups
        want_groups = l[:groups] || []
        want_groups |= minimum_groups
+      want_groups -= ignored_groups
        want_groups &= all_groups
  
        (want_groups - have_groups).each do |addgroup|
author	Brett Smith <brett.smith@curii.com>
	Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)
committer	Brett Smith <brett.smith@curii.com>
	Fri, 23 Jun 2023 15:24:22 +0000 (11:24 -0400)
lib/config/config.default.yml		patch \| blob \| history
lib/config/export.go		patch \| blob \| history
sdk/go/arvados/config.go		patch \| blob \| history
services/login-sync/bin/arvados-login-sync		patch \| blob \| history