Project

General

Profile

Actions

Bug #25479

open

Users cleanup configuration is too strict on disabled users

Added by Clark ANDRIANASOLO 3 months ago. Updated 2 months ago.

Status:
Pending release
Priority:
N/A
Category:
Web - Maintenance
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

The current default is 60 days for the rudder.users.cleanup.account.disableAfterLastLogin configuration property : any user that did not log in a period of 60 days are disabled.
The disable reason is also empty in the users table (in the statushistory column) :

{"actor": {"name": "rudder"}, "reason": "", "actionDate": "2024-09-17T10:00:00.000Z"}, "status": "disabled"}

We should set it to a longer period of time by default : 90 days, because users should be able to leave a Rudder instance unused for a longer period of time, as demonstrated by some client use cases.
The configuration value should still be modifiable, and the never value should be a supported one (a documentation should be added in the configuration.properties.sample file).
Also, a known admin user should not be disabled.

We should also add a reason in the trace, e.g. "User did not login for too long" and log the disabling of users with a warning log (see also #25478).

Also, rudder.users.cleanup.account.deleteAfterLastLogin should only apply on already disabled users only (therefore the value of 120.days seems reasonable)

We should also update the doc and sample for the configuration parameters.


Subtasks 3 (0 open3 closed)

User management - Bug #25482: User cleanup configuration impact on user-managementReleasedFrançois ARMANDActions
Bug #25483: User cleanup configuration impact on user-management in 8.2ReleasedFrançois ARMANDActions
Bug #25490: User cleanup actions are logged every time even there is no change ReleasedFrançois ARMANDActions

Related issues 3 (1 open2 closed)

Related to Rudder - User story #23440: Add users table to better track user and sessionsReleasedVincent MEMBRÉActions
Related to Rudder - Enhancement #25478: Normalize authentication logsPending releaseFrançois ARMANDActions
Related to Authentication backends - Bug #25458: All OIDC user are disabled at onceResolvedClark ANDRIANASOLOActions
Actions #1

Updated by Clark ANDRIANASOLO 3 months ago

  • Related to User story #23440: Add users table to better track user and sessions added
Actions #2

Updated by Clark ANDRIANASOLO 3 months ago

  • Description updated (diff)
  • Status changed from New to In progress
  • Assignee set to Clark ANDRIANASOLO
Actions #3

Updated by Clark ANDRIANASOLO 3 months ago

  • Description updated (diff)
Actions #4

Updated by Clark ANDRIANASOLO 3 months ago

  • Description updated (diff)
Actions #5

Updated by Clark ANDRIANASOLO 3 months ago

  • Description updated (diff)
Actions #6

Updated by Clark ANDRIANASOLO 3 months ago

Actions #7

Updated by Clark ANDRIANASOLO 3 months ago

  • Description updated (diff)
Actions #8

Updated by Clark ANDRIANASOLO 3 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5880
Actions #9

Updated by Clark ANDRIANASOLO 3 months ago

  • Status changed from Pending technical review to Pending release
Actions #10

Updated by Clark ANDRIANASOLO 3 months ago

  • Subtask #25482 added
Actions #11

Updated by Clark ANDRIANASOLO 3 months ago

  • Subtask #25483 added
Actions #12

Updated by Clark ANDRIANASOLO 3 months ago

  • Subtask #25490 added
Actions #13

Updated by François ARMAND 3 months ago

  • Related to Bug #25458: All OIDC user are disabled at once added
Actions #14

Updated by Clark ANDRIANASOLO 3 months ago

  • Fix check changed from To do to Checked

It now works well with #25490 : the logs are clear and only disabled users are deleted.

There is a caveat on OIDC users : there roles are not known by Rudder, so they need to be declared as admin in the users file for them to not be disabled when the cleanup runs

Actions #15

Updated by Vincent MEMBRÉ 3 months ago

This bug has been fixed in Rudder 8.1.7 which was released today.

Actions

Also available in: Atom PDF