20663: Make minimum groups configurable

Note this no longer adds the user's own group to the membership
list. The administrator can control that by adjusting USERGROUPS_ENAB
in /etc/login.defs.

Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>

diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index a3150b8fd20a7d7edad9f2bd557c03d14aa0022c..df986661f4fef8300ee6dbc431b32d38f0717e56 100755 (executable)
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -56,6 +56,8 @@ begin
   arv = Arvados.new({ :suppress_ssl_warnings => false })
   logincluster_host = ENV['ARVADOS_API_HOST']
   logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+  # Requiring the fuse group was previous hardcoded behavior
+  minimum_groups = arv.cluster_config['Login']['SyncRequiredGroups'] || ['fuse']
 
   if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID']
     logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host']
@@ -167,9 +169,7 @@ begin
 
     existing_groups = current_user_groups[username] || []
     groups = l[:groups] || []
-    # Adding users to the FUSE group has long been hardcoded behavior.
-    groups << "fuse"
-    groups << username
+    groups |= minimum_groups
     groups.select! { |g| Etc.getgrnam(g) rescue false }
 
     groups.each do |addgroup|