Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users are no longer added to existing groups since 1.0.4 #44

Closed
jcomeaux opened this issue May 22, 2018 · 9 comments · Fixed by #47
Closed

Users are no longer added to existing groups since 1.0.4 #44

jcomeaux opened this issue May 22, 2018 · 9 comments · Fixed by #47

Comments

@jcomeaux
Copy link

We use "keymaker_wheel" as our IAM group for admin users. Admin users are added to the local "wheel" group in version 1.0.3, but beginning with 1.0.4, that no longer happens.

I haven't tested to see if new groups (eg "keymaker_notwheel") would be created successfully and users added.
@rscottthreewiresyscom
Copy link

I can confirm this issue on Centos7 with 1.0.5. With a new image, the keymaker_groups get created on the server, but the users do not get added to them. Reverting to 1.0.3 solves the problem.

@kislyuk
Copy link
Owner

kislyuk commented May 26, 2018

Thank you both for reporting this. I just released v1.0.6 with a fix for a logic error that I introduced in v1.0.4.

Could you please test v1.0.6 and see if your issue is resolved?

If not, can you please tell me the following:

  • Are users not being correctly added to groups upon first login, or on periodic group sync, or both?
  • Can you paste the (sanitized) output of keymaker get_groups USERNAME?
  • Can you paste the (sanitized) output of keymaker sync_groups?

Thanks.

@rscottthreewiresyscom
Copy link

Yes, this is working correctly for me on 1.0.6.

@rscottthreewiresyscom
Copy link

Well maybe I spoke too soon. The first image I spun up worked perfectly. But the second one generated these errors on my first login:

rscott@gtri-ubuntu:~/git/arfam-provision/ami$ hop 10.100.52.26
The authenticity of host '10.10.10.10 ()' can't be established.
ECDSA key fingerprint is SHA256:X7i2xRNB....
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.10' (ECDSA) to the list of known hosts.
usermod: group 'keymaker_group0' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
usermod: group 'group1' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
usermod: group 'group2' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
usermod: group 'group3' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
usermod: group 'group4' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
usermod: group 'group5' does not exist
/usr/bin/keymaker-create-account-for-iam-user: Error while adding user to group
Keymaker: Your user account has been replicated to this host but cannot be used for this session.
Keymaker: Create a new SSH connection.
Password:

===========================================
And now the groups are created but it won't add my account to the groups.

keymaker:x:1001:
rscott:x:17394:
group0:x:19128:
group5:x:7103:
group4:x:2839:
group3:x:12033:
group2:x:16304:
group1:x:34576:

[rscott@ip-10-10-10-10 ~]$ keymaker --version
1.0.6

[rscott@ip-10-10-10-10 ~]$ keymaker get_groups rscott
group0
group1
group2
group3
group4
group5

[rscott@ip-10-10-10-10 ~]$ keymaker sync_groups
INFO:keymaker:Syncing IAM group keymaker_group0
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
INFO:keymaker:Syncing IAM group keymaker_group1
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
INFO:keymaker:Syncing IAM group keymaker_group2
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
INFO:keymaker:Syncing IAM group keymaker_group3
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
INFO:keymaker:Syncing IAM group keymaker_group4
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
INFO:keymaker:Syncing IAM group keymaker_group5
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping

@rscottthreewiresyscom
Copy link

I think that the problem described above has to do with logging in for the first time before the first cron job has run to populate the groups. Since the groups have not yet populated, each attempt to add the user to the group fails. And then--apparently--it never tries to add the user again. I have verified that a new user logging in after the groups are first populated does get added to the groups, but the first guy who logged in too early is SOL. So the work-around for this issue as it now stands is to wait until after there's been enough time for the first cron job to run before logging in.

@kislyuk
Copy link
Owner

kislyuk commented Jun 9, 2018

@rscottthreewiresyscom thank you for clarifying. You are correct, and this is not a new issue: groups are created on demand by keymaker sync_groups, but not by keymaker-create-account-for-iam-user. I'll look into addressing that.

With that said, keymaker sync_groups should work. Is user rscott among the users for whom the WARNING:keymaker:User is not provisioned or not managed by keymaker, skipping message is printed? What's the uid of that user? The sync script will refuse to sync groups for users not provisioned by keymaker, but if rscott was provisioned by keymaker, then it should successfully assign the groups. If it doesn't, I want to find out why.

@georgebuckerfield
Copy link
Contributor

I'm having what appears to be the same issue.

WARNING:keymaker:User  is not provisioned or not managed by keymaker, skipping

I think it's caused by these lines of code:

user_names_in_iam_group = [user.name[:-len(iam_linux_user_suffix)]
                                   for user in group.users.all()
                                   if user.name.endswith(iam_linux_user_suffix)]

If iam_linux_user_suffix is not set to anything, it ends up doing user.name[:-0], which just returns ''.

@georgebuckerfield georgebuckerfield mentioned this issue Jul 13, 2018
Merged
kislyuk pushed a commit that referenced this issue Jul 16, 2018
@georgebuckerfield @kislyuk
Avoid trimming everything if the suffix length is zero (#47)
71c8a31 
Fixes #44
@kislyuk
Copy link
Owner

kislyuk commented Jul 16, 2018

Thank you @georgebuckerfield. Merged your fix and released in v1.0.7.

@georgebuckerfield
Copy link
Contributor

georgebuckerfield commented Jul 16, 2018
edited
Loading

Great, thanks for the quick turnaround @kislyuk and thanks for maintaining keymaker, it's very useful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid trimming everything if the suffix length is zero georgebuckerfield/keymaker
4 participants
@kislyuk @jcomeaux @georgebuckerfield @rscottthreewiresyscom