Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent group reconciliation for existing users #45612

Merged
merged 1 commit into from
Aug 23, 2024
Merged

Prevent group reconciliation for existing users #45612

merged 1 commit into from
Aug 23, 2024

Conversation

eriktate
Copy link
Contributor

@eriktate eriktate commented Aug 19, 2024
edited by rosstimothy
Loading

Addresses #45536

Adds a new group called teleport-managed which will be assigned to users created in KEEP mode. This PR also blocks UpsertUser from taking action unless the user in question has either the teleport-system group or the teleport-managed group.

changelog: Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. More info can be found at https://goteleport.com/docs/enroll-resources/server-access/guides/host-user-creation/#migrating-unmanaged-users.

@github-actions github-actions bot requested review from atburke and tigrato August 19, 2024 22:48
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

rosstimothy
rosstimothy reviewed Aug 20, 2024
View reviewed changes
api/types/constants.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

eriktate
eriktate commented Aug 20, 2024
View reviewed changes
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
@rosstimothy rosstimothy changed the title eriktate/prevent group reconciliation for existing users Prevent group reconciliation for existing users Aug 20, 2024
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch 2 times, most recently from a0594d4 to 9aa975b Compare August 21, 2024 17:58
@eriktate eriktate requested a review from rosstimothy August 21, 2024 18:02
rosstimothy
rosstimothy reviewed Aug 21, 2024
View reviewed changes
api/types/constants.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt_test.go Outdated Show resolved Hide resolved
lib/srv/usermgmt_test.go Outdated Show resolved Hide resolved
lib/srv/usermgmt_test.go Outdated Show resolved Hide resolved
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch from 36db28d to 977d91d Compare August 21, 2024 21:08
@eriktate eriktate requested a review from rosstimothy August 21, 2024 21:11
rosstimothy
rosstimothy reviewed Aug 21, 2024
View reviewed changes
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch from 977d91d to f079f62 Compare August 21, 2024 21:28
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch 2 times, most recently from d24b84f to 9d1fa34 Compare August 22, 2024 17:48
@eriktate eriktate requested a review from rosstimothy August 22, 2024 18:29
@eriktate
Copy link
Contributor Author

@atburke just a bump for whenever you have a few spare cycles 😄

atburke
atburke reviewed Aug 22, 2024
View reviewed changes
api/types/constants.go Outdated Show resolved Hide resolved
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch 3 times, most recently from 59d817e to 3a23147 Compare August 23, 2024 18:20
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-24xcpf187-goteleport.vercel.app/docs/ver/preview

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-7av93y4q7-goteleport.vercel.app/docs/ver/preview

rosstimothy
rosstimothy reviewed Aug 23, 2024
View reviewed changes
lib/srv/sess.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image.

@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image.

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-qlksadca2-goteleport.vercel.app/docs/ver/preview

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-4ikltn5no-goteleport.vercel.app/docs/ver/preview

@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image.

@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch 2 times, most recently from df6bf75 to 21fbf92 Compare August 23, 2024 20:49
rosstimothy
rosstimothy approved these changes Aug 23, 2024
View reviewed changes
lib/srv/sess.go Outdated Show resolved Hide resolved
lib/srv/usermgmt.go Outdated Show resolved Hide resolved
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from tigrato August 23, 2024 20:50
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch from 21fbf92 to 58f676c Compare August 23, 2024 21:16
@eriktate eriktate enabled auto-merge August 23, 2024 21:26
@eriktate eriktate added this pull request to the merge queue Aug 23, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 23, 2024
@eriktate
adding teleport-keep group for easy identification of all teleport …
d5d176a 
…managed host users and removing any ability for teleport to modify an unmanaged user without explicitly taking ownership first
@eriktate eriktate force-pushed the eriktate/prevent-group-reconciliation-for-existing-users branch from 58f676c to d5d176a Compare August 23, 2024 21:59
@eriktate eriktate enabled auto-merge August 23, 2024 21:59
@eriktate eriktate added this pull request to the merge queue Aug 23, 2024
Merged via the queue into master with commit a641620 Aug 23, 2024
40 checks passed
@eriktate eriktate deleted the eriktate/prevent-group-reconciliation-for-existing-users branch August 23, 2024 22:38
@public-teleport-github-review-bot
Copy link

@eriktate See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Create PR
branch/v16 Create PR

This was referenced Aug 23, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@atburke atburke atburke approved these changes

Assignees
No one assigned
Labels
backport/branch/v14 backport/branch/v15 backport/branch/v16 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eriktate @atburke @rosstimothy