Add an option to purge unmanaged users/groups
abdrabo opened this issue · 3 comments
If someone manages to add a user or a group to the BMC, it will be unnoticed forever. This is not ideal from a security point of view. We would like to add an option to purge any user or group that is not specified in the configuration. With this option bmcbutler will remove the unmanaged users/groups on the next run.
I propose to add 2 new bool keys to the configuration (purgeUnmanagedUsers & purgeUnmanagedLdapGroups). This way it will be optional and it will not break backward compatibility.
I have pushed a sample implementation to purge the unmanaged users in iLO. I would love to hear some feedback before adding implementations to the rest of the providers.
You can check https://github.com/bmc-toolbox/bmclib/compare/abdrabo/190-purge-users-groups to see the changes made for this issue.
Hey @abdrabo,
In this case it would be ideal to have bmclib limit its interface methods to - Select/Create/Update/Delete
and the client invoking bmclib, in this case bmcbutler, takes care of invoking the Delete method on User/LdapGroups that should not be on the BMC. This will allow us to have a clearly defined scope for bmclib.
I understand in this case, the Users and LdapGroups is imported from bmclib,
hence limiting the configuration options that you can declare in the BMC configuration file
An option is to define a User/LdapGroup struct within bmcbutler that inherits the bmclib User struct,
and that way bmcbutler can declare its own User/LdapGroup parameters in its BMC configuration.