Bug #25479
openUsers cleanup configuration is too strict on disabled users
Description
The current default is 60 days
for the rudder.users.cleanup.account.disableAfterLastLogin
configuration property : any user that did not log in a period of 60 days are disabled.
The disable reason is also empty in the users table (in the statushistory column) :
{"actor": {"name": "rudder"}, "reason": "", "actionDate": "2024-09-17T10:00:00.000Z"}, "status": "disabled"}
We should set it to a longer period of time by default :
90 days
, because users should be able to leave a Rudder instance unused for a longer period of time, as demonstrated by some client use cases.The configuration value should still be modifiable, and the
never
value should be a supported one (a documentation should be added in the configuration.properties.sample
file).Also, a known admin user should not be disabled.
We should also add a reason in the trace, e.g. "User did not login for too long" and log the disabling of users with a warning log (see also #25478).
Also, rudder.users.cleanup.account.deleteAfterLastLogin
should only apply on already disabled users only (therefore the value of 120.days seems reasonable)
We should also update the doc and sample for the configuration parameters.
Updated by Clark ANDRIANASOLO 3 months ago
- Related to User story #23440: Add users table to better track user and sessions added
Updated by Clark ANDRIANASOLO 3 months ago
- Description updated (diff)
- Status changed from New to In progress
- Assignee set to Clark ANDRIANASOLO
Updated by Clark ANDRIANASOLO 3 months ago
- Related to Enhancement #25478: Normalize authentication logs added
Updated by Clark ANDRIANASOLO 3 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/5880
Updated by Clark ANDRIANASOLO 3 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|e45877bded15208c0123ee658e6608fd6fc0c8ed.
Updated by François ARMAND 3 months ago
- Related to Bug #25458: All OIDC user are disabled at once added
Updated by Clark ANDRIANASOLO 3 months ago
- Fix check changed from To do to Checked
It now works well with #25490 : the logs are clear and only disabled users are deleted.
There is a caveat on OIDC users : there roles are not known by Rudder, so they need to be declared as admin in the users file for them to not be disabled when the cleanup runs
Updated by Vincent MEMBRÉ 2 months ago
This bug has been fixed in Rudder 8.1.7 which was released today.