RFD 0193 - Stable UNIX user UIDs #50414
Conversation
espadolini
added
no-changelog
rfd/0193-stable-unix-user.md
Outdated
| } | ||
| ``` | ||
|
|
||
| In the initial implementation there will be no way to read or manage the list of users and no tunables other than the range of UIDs available for use and the `enabled` flag. It is not planned to ever allow for deleting a UID after it's been assigned, but in the future we could add the ability to clear the assigned username for a given UID while still leaving it occupied. |
There was a problem hiding this comment.
I could see an admin having the desire to lookup the uid of a particular host login. While this is achievable by said admin logging into the host and manually retrieving the id, due to the migration process they may get an id not provisioned by Teleport.
I think we should provide a means for querying by username/uid, whether that be by listing or a specific query RPC.
There was a problem hiding this comment.
Defined a list operation - we could extend it to also support point reads in the future, but until we see a customer with hundreds of thousands of stable UIDs I think we're ok with requiring a full listing to do searches.
|
|
||
| ## Goal | ||
|
|
||
| After the appropriate setting is enabled in the control plane, all compliant (i.e. up to date) Teleport SSH nodes will query the control plane to know which UID to use when attempting to provision a host user if a Teleport user logs into the machine over SSH with a username that doesn't currently exist as a host user on the machine, with a roleset that allows for host user creation in "keep" mode for the specified machine and username, and with no `host_user_uid` trait. Using the returned UID will be a requirement for both the user and for its primary group: if another host user has the same UID, or a group has the same GID - and thus user creation will fail - the login will also fail. If the host user already exists on the machine, just like the current behavior, the login will just proceed with the existing user. The `host_user_uid` trait, if set, will take priority over the stable UID. |
There was a problem hiding this comment.
if another host user has the same UID, or a group has the same GID - and thus user creation will fail - the login will also fail
What is the means to resolving this state? Should there be an event or notification emitted to alert admins that manual intervention is needed?
There was a problem hiding this comment.
I'm honestly not sure of the extent of how detailed we can make our errors through SSH, but surely the user that can't log in will ask someone for help?
There was a problem hiding this comment.
At minimum we should make sure that the ssh service logs are very clear about the problem to reduce support load
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
espadolini
requested review from
eriktate
and removed request for
probakowski and
capnspacehook
RFD for #50292
This is the RFD for a new feature that will allow autoprovisioned unix users to be created with the same UID and primary GID across all SSH servers in a cluster.