Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stable UNIX users: functionality #51200

Open
wants to merge 7 commits into
base: espadolini/stable-unix-user-api
Choose a base branch
from
Open

Stable UNIX users: functionality #51200

wants to merge 7 commits into from
+2,254 −1,170

Conversation

espadolini
Copy link
Contributor

This PR adds the use of fallback UIDs for host user creation in the Teleport SSHd and a tctl subcommand (tctl stable-unix-users ls) to list the persisted usernames and their UIDs. This PR also adds an audit log event to the API, emitted when a new username is written.

Related RFD: #50414
Part of #50292

@espadolini espadolini added the no-changelog Indicates that a PR does not require a changelog entry label Jan 17, 2025
@github-actions github-actions bot requested review from kimlisa and rudream January 17, 2025 21:39
@github-actions github-actions bot added audit-log Issues related to Teleports Audit Log size/md tctl tctl - Teleport admin tool ui labels Jan 17, 2025
@kimlisa kimlisa removed their request for review January 21, 2025 19:34
rosstimothy
rosstimothy reviewed Jan 24, 2025
View reviewed changes
lib/auth/stableunixusers/stableunixusers.go
@@ -233,8 +248,21 @@ func (s *server) obtainUIDForUsernameUncached(ctx context.Context, username stri
return 0, trace.Wrap(err)
}

// TODO(espadolini): emit an audit log event with the username and UID
// that was just created
if s.emitter != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the emitter be required to be non-nil in the New?

lib/srv/sess.go
Comment on lines +329 to +332
log.DebugContext(ctx, "Host user does not exist and no UID is configured, obtaining fallback UID")
fallbackUID, ok, err := obtainFallbackUID(ctx, identityContext.Login)
if err != nil {
log.ErrorContext(ctx, "Failed to obtain fallback (stable) UID from control plane", "error", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we refer to these as fallback, stable or configured uid? Are they really a fallback or are they primary UID if I've enabled stable_unix_user_config in my auth preference?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy left review comments

@eriktate eriktate Awaiting requested review from eriktate

@rudream rudream Awaiting requested review from rudream

Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log no-changelog Indicates that a PR does not require a changelog entry size/md tctl tctl - Teleport admin tool ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@espadolini @rosstimothy