-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deleted account name and uid blocked #363
Comments
UPDATE: My custom terraform provider create two accounts using the "--uid-auto" option. Both tried to create an account with the same uid, creating an error. But, i don't know why the bastion has blocked the name or the uid. |
Hey @Pierrelefort , Nice to hear that you're working on a terraform provider! This is actually on my backlog because we also have the need internally, especially to handle add/removing of IPs in bastion groups (in that case, the account used by terraform would be an aclkeeper of these groups). I'll opensource it when it's ready (as we've done with the ansible wrapper). Now about your issue, do you have an exact list of steps to reproduce? I've tried creating two accounts with --uid-auto, deleting the first one, then creating a third one with --uid-auto, I can't seem to stumble upon it. On your screenshots, it would imply that the "test" account no longer exists, but its primary group (also named "test") is still there, as if the account deletion process had been interrupted; but that's just what I'm trying to infer based on your screenshots. To get more info, you might want to try running the |
Hi @speed47 (I'm working with @Pierrelefort ), I've sent you an email related to this ongoing work which is going to be open source as well, we've focused first on users, groups and server ips if you'd like to sync up, it seems we'd both benefit to join forces. |
Hey @ogirardot , just replied to your email, I missed it originally! |
We are close to open the repository to the public! And in our case we went with an admin account for his impersonate method (adminSudo) to remove/add ingress keys to user.
It happened when we try to create two users the option --uid-auto on parallel calls. When terraform want to create resources (here missing users), he create them on parallel. When we debug the issue, we found out thebastion return the same uid on those parallel calls. Since we cannot change terraform comportement easily we decided to avoid I managed to reproduce the error with log:
This log is quite verbose but you can see with :
Then i have done the following commands on my bastion server: poweruser@fix-my-config-please-missing-bastion-name(master)> accountList
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ list bastion accounts
├───────────────────────────────────────────────────────────────────────────────
│ healthcheck 9999
│ poweruser 9998
│ test2 9997
╰──────────────────────────────────────────────────────────────</accountList>───
poweruser@fix-my-config-please-missing-bastion-name(master)> accountDelete --account test2 --no-confirm
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ delete an existing bastion account
├───────────────────────────────────────────────────────────────────────────────
│ ❗ Hint: account test2 is currently ACTIVE (i.e. not disabled), think twice before removing it!
│
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
│ Backing up home directory...
*** Deleting account 'test2' sudoers file
`-> ... deleting /etc/sudoers.d/osh-account-test2_126a8a
`-> [ OK ]
│ Backup done
│ Removing 'test2' group membership from 'keyreader' user
│ Deleting system user 'test2'...
│ Deleting group test2-tty...
│ Account test2 has been deleted
╰────────────────────────────────────────────────────────────</accountDelete>───
poweruser@fix-my-config-please-missing-bastion-name(master)> accountCreate --account test1 --uid 9997 --no-key
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ create a new bastion account
├───────────────────────────────────────────────────────────────────────────────
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_TERMINAL = "iTerm2",
LANG = "fr_FR.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
│
│ ⛔ The group test1 already exists
╰────────────────────────────────────────────────────────────</accountCreate>─── Hope that will help you understand the issue !
We got the following response from the bastion server: root@arkhn-bastion: ~# /opt/bastion/bin/admin/check-consistency.pl
found 3 key groups
found 22 bastion users
found 166 groups |
Okay, so this is clearly a race condition when two creations happen exactly at the same time. I can add a mutex there to avoid two simultaneous creations from picking the same UID. Thanks for the detailed report! 👍 . I'll have a branch for you to test with Terraform, using |
Could you try the branch of PR #377 ? |
I try the branch of PR with the same operations i did for the log and it work fine ! |
Hi,
I am currently working on a terraform provider for thebastion. His main goal is to manage users of thebastion with terraform state.
During my testing phase, i created an account with these parameters: "name": "test", "uid": "99992". But, since i deleted it, those parameters seem to be locked. I am unable to create a new account with this name or this uid. This account named "test" is not visible on the return of accountList command. Any idea how to fix this ? And why did it happen ?
Provider accountCreate command: "--osh accountCreate --account test --uid-auto --no-key"
Provider accountDelete command: "--osh accountDelete --account test --no-confirm --json"
Screenshots:
The text was updated successfully, but these errors were encountered: