Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows user creation #24780
Windows user creation #24780
Changes from 26 commits
2273cff
6594888
840ade2
89d89a8
41c7243
229f2a6
3df2874
27cb87f
89056a6
76eb7b9
299ac3a
7c5f950
235c6e2
cd07741
b351b24
7166f28
07e0e11
1ee9f5a
4d1cf76
1b802f8
225204a
71a3551
15bfcf2
e76f95c
e486435
bf8c640
fb353bb
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
Large diffs are not rendered by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could be mistaken, but my understanding is that a role that allows for creating users looks like
and that such a role would only allow a user to create the
DBAdmin
user with the givendesktop_groups
on nodes with the labelsenv: staging
orenv: test
. However, afaict, the certificate created here won't restrict the system to only creating theDBAdmin
user in those groups -- for example, a user might have another role likeIn that case, the user's intention would be to only allow
SystemAdmin
to be created and given thereader
group onenv: staging/test
nodes, howevergroups, err := authCtx.Checker.DesktopGroups(desktop)
would result in agroups = ["reader", "writer", "{{external.desktop_groups}}"]
andcreateUsers
would be true. In which case if the user were logging in asSystemAdmin
, that user would be created and then added to all of["reader", "writer", "{{external.desktop_groups}}"]
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is how it would work, this behavior matches what we have in server access, login is not considered there when gathering groups, only node labels,
host_groups
andcreate_host_user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha. I see that as an error prone API design and think we should reconsider making it "role-bound", but beyond the scope here.