Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an option to purge unmanaged users/groups #190

Open
abdrabo opened this issue Jan 19, 2021 · 3 comments
Open

Add an option to purge unmanaged users/groups #190

abdrabo opened this issue Jan 19, 2021 · 3 comments
Labels
configuration Related to configuration actions. enhancement New feature or request

Comments

@abdrabo
Copy link
Member

abdrabo commented Jan 19, 2021

If someone manages to add a user or a group to the BMC, it will be unnoticed forever. This is not ideal from a security point of view. We would like to add an option to purge any user or group that is not specified in the configuration. With this option bmcbutler will remove the unmanaged users/groups on the next run.

I propose to add 2 new bool keys to the configuration (purgeUnmanagedUsers & purgeUnmanagedLdapGroups). This way it will be optional and it will not break backward compatibility.

@abdrabo abdrabo added enhancement New feature or request configuration Related to configuration actions. labels Jan 19, 2021
abdrabo pushed a commit that referenced this issue Jan 19, 2021
@abdrabo
Copy link
Member Author

abdrabo commented Jan 19, 2021

I have pushed a sample implementation to purge the unmanaged users in iLO. I would love to hear some feedback before adding implementations to the rest of the providers.

abdrabo pushed a commit that referenced this issue Jan 21, 2021
@abdrabo
Copy link
Member Author

abdrabo commented Jan 21, 2021

You can check https://github.com/bmc-toolbox/bmclib/compare/abdrabo/190-purge-users-groups to see the changes made for this issue.

@joelrebel
Copy link
Member

joelrebel commented Jan 25, 2021

Hey @abdrabo,

In this case it would be ideal to have bmclib limit its interface methods to - Select/Create/Update/Delete
and the client invoking bmclib, in this case bmcbutler, takes care of invoking the Delete method on User/LdapGroups that should not be on the BMC. This will allow us to have a clearly defined scope for bmclib.

I understand in this case, the Users and LdapGroups is imported from bmclib,
hence limiting the configuration options that you can declare in the BMC configuration file

An option is to define a User/LdapGroup struct within bmcbutler that inherits the bmclib User struct,
and that way bmcbutler can declare its own User/LdapGroup parameters in its BMC configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
configuration Related to configuration actions. enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants