[arvados] updated: 2.6.0-309-g9b4f22418

Fri Jun 23 15:24:51 UTC 2023

Summary of changes:
 lib/config/config.default.yml              |  7 +++++++
 lib/config/export.go                       |  1 +
 sdk/go/arvados/config.go                   |  1 +
 services/login-sync/bin/arvados-login-sync | 13 ++++++++++---
 4 files changed, 19 insertions(+), 3 deletions(-)

       via  9b4f22418bc26d57e4b9d4a0ba9ef3c4e34a2e51 (commit)
       via  42eab508902ad812e4d32bfb26115a213348e1a6 (commit)
      from  ee35d22df94f1745f97c17f3171e8663fa2e375e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 9b4f22418bc26d57e4b9d4a0ba9ef3c4e34a2e51
Author: Brett Smith <brett.smith at curii.com>
Date:   Fri Jun 23 11:24:22 2023 -0400

    20663: Add IgnoredGroups configuration to arvados-login-sync
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 921a53578..6ae98157b 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -433,6 +433,13 @@ Clusters:
       SyncRequiredGroups:
         - fuse
 
+      # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+      # never modify these groups. If user login permissions list any groups
+      # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+      # belongs to any of these groups, arvados-login-sync will not remove
+      # the account from that group.
+      SyncIgnoredGroups: []
+
     AuditLogs:
       # Time to keep audit logs, in seconds. (An audit log is a row added
       # to the "logs" table in the PostgreSQL database each time an
diff --git a/lib/config/export.go b/lib/config/export.go
index d51b02d6c..88c64f69a 100644
--- a/lib/config/export.go
+++ b/lib/config/export.go
@@ -247,6 +247,7 @@ var whitelist = map[string]bool{
 	"Users.NewUsersAreActive":                             false,
 	"Users.PreferDomainForUsername":                       false,
 	"Users.RoleGroupsVisibleToAll":                        false,
+	"Users.SyncIgnoredGroups":                             true,
 	"Users.SyncRequiredGroups":                            true,
 	"Users.SyncUserAccounts":                              true,
 	"Users.SyncUserAPITokens":                             true,
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 62dfca45c..c49476997 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -258,6 +258,7 @@ type Cluster struct {
 		RoleGroupsVisibleToAll                bool
 		CanCreateRoleGroups                   bool
 		ActivityLoggingPeriod                 Duration
+		SyncIgnoredGroups                     []string
 		SyncRequiredGroups                    []string
 		SyncUserAccounts                      bool
 		SyncUserAPITokens                     bool
diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index d6c718864..cbe8520a0 100755
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -65,8 +65,14 @@ begin
   arv = Arvados.new({ :suppress_ssl_warnings => false })
   logincluster_host = ENV['ARVADOS_API_HOST']
   logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
+
   # Requiring the fuse group was previous hardcoded behavior
   minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
+  ignored_groups = arv.cluster_config['Users']['SyncIgnoredGroups'] || []
+  (minimum_groups & ignored_groups).each do |group_name|
+    STDERR.puts "WARNING: #{group_name} is listed in both SyncRequiredGroups and SyncIgnoredGroups. It will be ignored."
+  end
+
   actions.each_pair do |key, default|
     actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
   end
@@ -185,9 +191,10 @@ begin
     end
 
     if actions[:SyncUserGroups]
-      have_groups = current_user_groups[username]
+      have_groups = current_user_groups[username] - ignored_groups
       want_groups = l[:groups] || []
       want_groups |= minimum_groups
+      want_groups -= ignored_groups
       want_groups &= all_groups
 
       (want_groups - have_groups).each do |addgroup|

commit 42eab508902ad812e4d32bfb26115a213348e1a6
Author: Brett Smith <brett.smith at curii.com>
Date:   Fri Jun 23 09:25:24 2023 -0400

    20663: Bugfix configuration lookup
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/services/login-sync/bin/arvados-login-sync b/services/login-sync/bin/arvados-login-sync
index 1a825c90f..d6c718864 100755
--- a/services/login-sync/bin/arvados-login-sync
+++ b/services/login-sync/bin/arvados-login-sync
@@ -66,9 +66,9 @@ begin
   logincluster_host = ENV['ARVADOS_API_HOST']
   logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
   # Requiring the fuse group was previous hardcoded behavior
-  minimum_groups = arv.cluster_config['Login']['SyncRequiredGroups'] || ['fuse']
+  minimum_groups = arv.cluster_config['Users']['SyncRequiredGroups'] || ['fuse']
   actions.each_pair do |key, default|
-    actions[key] = arv.cluster_config['Login'].fetch(key.to_s, default)
+    actions[key] = arv.cluster_config['Users'].fetch(key.to_s, default)
   end
 
   if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID']

-----------------------------------------------------------------------


hooks/post-receive
-- 


