Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Host user creation does not update user groups in keep mode #41178

Closed
r0mant opened this issue May 3, 2024 · 1 comment · Fixed by #41919
Closed

Host user creation does not update user groups in keep mode #41178

r0mant opened this issue May 3, 2024 · 1 comment · Fixed by #41919
Assignees
@atburke
Labels
bug c-ip Internal Customer Reference server-access

Comments

@r0mant
Copy link
Collaborator

r0mant commented May 3, 2024

Suppose I have a role that uses "create_host_user_mode: keep".

kind: role
metadata:
  name: role-1
spec:
  allow:
    host_groups:
    - group-1
    logins:
    - '{{external.username}}'
    node_labels:
      hostname:
      - proxy-*
  deny: {}
  options:
    create_host_user_mode: keep
version: v7

When I use this role to tsh ssh to a server on the first time, Teleport agent creates the user, and add it to the pre-existing group "group-1".

Then, I edit the role, and add another entry to "host_groups":

host_groups:
  - group-1
  - group-2

I logout from the server, and tsh ssh again to it (also tried full-blown Teleport logout/login).

Teleport does not create the group group-2, and user is not in that group.
@r0mant r0mant added the bug label May 3, 2024
@webvictim webvictim added the c-ip Internal Customer Reference label May 9, 2024
@okunc
Copy link

okunc commented May 10, 2024

this is very much needed in our use case - i.e. use Okta > Teleport > linux group propagation. We don't want to manage users and groups on linux level, we only care to do it in Okta and let Teleport do the business [the way it was designed].

thanks a lot for raising this and looking forward for a fix!

eager

@atburke atburke mentioned this issue May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atburke atburke

Labels
bug c-ip Internal Customer Reference server-access
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Host User Creation - update groups for existing users gravitational/teleport
5 participants
@r0mant @webvictim @zmb3 @okunc @atburke