maintain-dbusers.py creates and updates database accounts for toolforge tools. It creates them but doesn't currently have a way to remove them.
I see two ways to move forward with disabling:
I prefer the latter but it's a bit riskier.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | bd808 | T133777 Tools that should get archived/deleted (tracking) | |||
| Resolved | Andrew | T170355 Figure out process for deleting an unused tool | |||
| Resolved | • Bstorm | T285332 Purge db creds for archived tools |
It actually does have a way to remove them. We use it for recycling credentials because it will create them again if the user still exists in LDAP. The only issue is that it is manual. You have to run the command by hand right now (sudo -i /usr/local/sbin/maintain-dbusers delete tools.deletemeuser). We could teach it to check the LDAP user for disabled settings and run that function automatically for those that are archived instead of using the cli. It will re-create credentials any time they are re-enabled. I think that's the ideal.
Change 706769 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] disable-tool: add a job to the sge-cron host that archives databases
Change 706769 merged by Andrew Bogott:
[operations/puppet@production] disable-tool: add a job to the sge-cron host that archives databases
Change 711234 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] maintain-dbusers: delete users that are removed from ldap
Change 711234 merged by Bstorm:
[operations/puppet@production] maintain-dbusers: delete users that are removed from ldap
Change 711642 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] maintain-dbusers: delete LDAP-absent accounts for real
Change 711642 merged by Bstorm:
[operations/puppet@production] maintain-dbusers: delete LDAP-absent accounts for real
Change 711693 had a related patch set uploaded (by Bstorm; author: Bstorm):
[operations/puppet@production] maintain-dbusers: old tools are missing and causing crashes
Change 711693 merged by Bstorm:
[operations/puppet@production] maintain-dbusers: old tools are missing and causing crashes
At this point, if LDAP crashes, so does maintain-dbusers. So as long as LDAP doesn't suddenly learn to reply correctly with nothing, maintain-dbusers will delete accounts that do not exist in LDAP but do exist in it's own database. That's how it decides to create new accounts, so that seems reasonable. I observed it remove a small collection of accounts (user and tool) correctly.
If something somehow is missing from LDAP and then is back, it will come back later with a new password, but the password will be available to the user so that seems ok to me.
Brooke says: "You can check maintain-dbusers on labstore1004 by doing sudo journalctl -u maintain-dbusers since the logs are verbose for deletion"