Add an option to automatically delete missing-guid users

This is only available when running the standalone script. At Rancher
startup this option is set to false, so missing users will be logged
instead and require manual intervention.

cleanup/ad-guid-unmigration.sh

@@ -23,6 +23,7 @@ show_usage() {
 	echo ""
 	echo "Flags:"
 	echo -e "\t-dry-run Display the resources that would will be updated without making changes"
+    echo -e "\t-delete-missing Permanently remove user objects whose GUID cannot be found in Active Directory"
 }
 
 if [ $# -lt 1 ]
@@ -45,7 +46,11 @@ yaml=$(cat ad-guid-unmigration.yaml | sed -e 's=agent_image='"$agent_image"'=')
 if [ "$2" = "-dry-run" ]
 then
     # Uncomment the env var for dry-run mode
-    yaml=$(sed -e 's/# // ' <<< "$yaml")
+    yaml=$(sed -e 's/#dryrun // ' <<< "$yaml")
+elif [ "$2" = "-delete-missing" ]
+then
+    # Instead uncomment the env var for missing user cleanup
+    yaml=$(sed -e 's/#deletemissing // ' <<< "$yaml")
 fi
 
 echo "$yaml" | kubectl apply -f -

cleanup/ad-guid-unmigration.yaml

@@ -38,8 +38,10 @@ spec:
         - env:
             - name: AD_GUID_CLEANUP
               value: "true"
-            # - name: DRY_RUN
-              # value: "true"
+            #dryrun - name: DRY_RUN
+              #dryrun value: "true"
+            #deletemissing - name: AD_DELETE_MISSING_GUID_USERS
+              #deletemissing value: "true"
           image: agent_image
           imagePullPolicy: Always
           command: ["agent"]

cmd/agent/main.go

@@ -81,7 +81,7 @@ func main() {
 			}
 			err = bindingErr
 		} else if os.Getenv("AD_GUID_CLEANUP") == "true" {
-			err = clean.UnmigrateAdGUIDUsers(nil, false)
+			err = clean.UnmigrateAdGUIDUsers(nil, false, false)
 		} else {
 			err = run(ctx)
 		}

pkg/agent/clean/active_directory.go

@@ -303,15 +303,19 @@ func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
 			return nil
 		}
 	}
-	return UnmigrateAdGUIDUsers(&sc.RESTConfig, false)
+	return UnmigrateAdGUIDUsers(&sc.RESTConfig, false, false)
 }
 
 // UnmigrateAdGUIDUsers will cycle through all users, ctrb, ptrb, tokens and migrate them to an
 // appropriate DN-based PrincipalID.
-func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool) error {
+func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMissingUsers bool) error {
 	if dryRun || os.Getenv("DRY_RUN") == "true" {
 		logrus.Infof("[%v] DRY_RUN is true, no objects will be deleted/modified", listAdUsersOperation)
 		dryRun = true
+		deleteMissingUsers = false
+	} else if deleteMissingUsers || os.Getenv("AD_DELETE_MISSING_GUID_USERS") == "true" {
+		logrus.Infof("[%v] AD_DELETE_MISSING_GUID_USERS is true, GUID-based users not present in Active Directory will be deleted", listAdUsersOperation)
+		deleteMissingUsers = true
 	}
 
 	sc, adConfig, err := prepareClientContexts(clientConfig)
@@ -353,8 +357,16 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool) error {
 	for _, user := range skippedUsers {
 		logrus.Errorf("[%v] Unable to migrate user %v due to a connection failure. This user will be skipped!", listAdUsersOperation, user.originalUser.Name)
 	}
-	for _, user := range missingUsers {
-		logrus.Errorf("[%v] User %v with GUID %v does not seem to exist in Active Directory. They may have been deleted. This user will be skipped!", listAdUsersOperation, user.originalUser.Name, user.guid)
+	for _, missingUser := range missingUsers {
+		if deleteMissingUsers {
+			logrus.Infof("[%v] User %v with GUID %v does not seem to exist in Active Directory, and deleteMissingUsers is true. Proceeding to delete this user permanently.", listAdUsersOperation, missingUser.originalUser.Name, missingUser.guid)
+			err = sc.Management.Users("").Delete(missingUser.originalUser.Name, &metav1.DeleteOptions{})
+			if err != nil {
+				logrus.Errorf("[%v] failed to delete missing user '%v' with: %v", listAdUsersOperation, missingUser.originalUser.Name, err)
+			}
+		} else {
+			logrus.Errorf("[%v] User %v with GUID %v does not seem to exist in Active Directory. They may have been deleted. This user will be skipped!", listAdUsersOperation, missingUser.originalUser.Name, missingUser.guid)
+		}
 	}
 
 	for _, userToMigrate := range usersToMigrate {