20663: Add configuration for arvados-login-sync

Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 0fb4a2babdf8057ed8291f7d280887f6d5a99617..921a53578850f646627c631e29a1e3f22e25937b 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -412,6 +412,27 @@ Clusters:
       # Use 0 to disable activity logging.
       ActivityLoggingPeriod: 24h
 
+      # The SyncUser* options control what system resources are managed by
+      # arvados-login-sync on shell nodes. They correspond to:
+      # * SyncUserAccounts: The user's Unix account on the shell node
+      # * SyncUserGroups: The group memberships of that account
+      # * SyncUserSSHKeys: Whether to authorize the user's Arvados SSH keys
+      # * SyncUserAPITokens: Whether to set up the user's Arvados API token
+      # All default to true.
+      SyncUserAccounts: true
+      SyncUserGroups: true
+      SyncUserSSHKeys: true
+      SyncUserAPITokens: true
+
+      # If SyncUserGroups=true, then arvados-login-sync will ensure that all
+      # managed accounts are members of the Unix groups listed in
+      # SyncRequiredGroups, in addition to any groups listed in their Arvados
+      # login permission. The default list includes the "fuse" group so
+      # users can use arv-mount. You can require no groups by specifying an
+      # empty list (i.e., `SyncRequiredGroups: []`).
+      SyncRequiredGroups:
+        - fuse
+
     AuditLogs:
       # Time to keep audit logs, in seconds. (An audit log is a row added
       # to the "logs" table in the PostgreSQL database each time an

diff --git a/lib/config/export.go b/lib/config/export.go
index 31ccc994b910764c6e98c416b81fe23dca4bfc07..d51b02d6c35d35b6b73226991b641806dc5e9bba 100644 (file)
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -247,6 +247,11 @@ var whitelist = map[string]bool{
        "Users.NewUsersAreActive":                             false,
        "Users.PreferDomainForUsername":                       false,
        "Users.RoleGroupsVisibleToAll":                        false,
+       "Users.SyncRequiredGroups":                            true,
+       "Users.SyncUserAccounts":                              true,
+       "Users.SyncUserAPITokens":                             true,
+       "Users.SyncUserGroups":                                true,
+       "Users.SyncUserSSHKeys":                               true,
        "Users.UserNotifierEmailBcc":                          false,
        "Users.UserNotifierEmailFrom":                         false,
        "Users.UserProfileNotificationAddress":                false,

diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 0fafa41f90a8cb34c071f72ac692c1797860a9a8..62dfca45c1933289b0c118a46e269f825a8261ac 100644 (file)
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -258,6 +258,11 @@ type Cluster struct {
                RoleGroupsVisibleToAll                bool
                CanCreateRoleGroups                   bool
                ActivityLoggingPeriod                 Duration
+               SyncRequiredGroups                    []string
+               SyncUserAccounts                      bool
+               SyncUserAPITokens                     bool
+               SyncUserGroups                        bool
+               SyncUserSSHKeys                       bool
        }
        StorageClasses map[string]StorageClassConfig
        Volumes        map[string]Volume