openSUSE admin

As per discussion in the meeting on 06/06/2024, grace period to be 4 instead of 2 weeks.

crameleon wrote:

To reduce the intrusion surface from credentials sitting with people who no longer use them, I propose to:

• contact users who did not authenticate to the Heroes VPN for >= 6 months
• if no response + login within 2 weeks, disable Heroes IDM account and revoke the corresponding VPN client certificate

This would be manifested in the infrastructure policy, and could be partially automated.

I feel this can be fully automated, if we can have proper way to extract vpn logs of users

As per discussion in the meeting on 04/07/2024:

• automate sending email to user if no login >= 6 months
• send email to admin@ (i.e. create ticket here) if still no login 2 weeks after the email, asking an admin to disable the user / revoke their account

I wish to help automating this task!

I realize we should also consider accounts which do not have any login log file (for example people who never connected).

To find all relevant users we can use:

$ kanidm group get vpn

To find email addresses we can use:

$ kanidm person get crameleon

With both of these one can add -o json after get which makes for JSON output to feed into jq (for example something like kanidm group get -o json vpn|jq '.["member"][]') or similar.

That is for shell, of course, if you prefer a different language, the same can be achieved using the HTTP API.

For development you can authenticate interactively with kanidm login -D kskarthik, for the automation in some systemd service we can then configure an application token.

crameleon wrote in #note-7:

I realize we should also consider accounts which do not have any login log file (for example people who never connected).

To find all relevant users we can use:

$ kanidm group get vpn

To find email addresses we can use:

$ kanidm person get crameleon

With both of these one can add -o json after get which makes for JSON output to feed into jq (for example something like kanidm group get -o json vpn|jq '.["member"][]') or similar.

That is for shell, of course, if you prefer a different language, the same can be achieved using the HTTP API.

For development you can authenticate interactively with kanidm login -D kskarthik, for the automation in some systemd service we can then configure an application token.

My user on odin cannot access the vpn logs dir which is required for the script to run. please enable read access for my username

Why does your user need to read the directory? We should use some service user or nobody to run it through a systemd service.

crameleon wrote in #note-9:

Why does your user need to read the directory? We should use some service user or nobody to run it through a systemd service.

Just saw the service user mail. Yeah, that sounds good

crameleon wrote in #note-4:

As per discussion in the meeting on 04/07/2024:

• automate sending email to user if no login >= 6 months
• send email to admin@ (i.e. create ticket here) if still no login 2 weeks after the email, asking an admin to disable the user / revoke their account

Since we have achieved the desired behavior, Shall we close this ticket ?

Hi, sure, feel free to resolve if you're satisfied with it (I am ;-) ).

Thanks for your work on this!

crameleon wrote in #note-13:

Thanks for your work on this!

i also want to thank specifically you and the admin team for your valuable inputs throughout the process!