search

caktus / tequila-common

Ansible role for setting up users, keys, directories, and a firewall for a Django server
BSD 3-Clause "New" or "Revised" License
1 stars 1 forks source link

To purge or not purge old users #7

Closed copelco closed 6 years ago

copelco commented 6 years ago

Margarita would explicitly purge users who aren't listed in devs:

https://github.com/caktus/margarita/blame/develop/project/devs.sls#L36-L47

This approach has pros and cons. Pros are that if you remove a user in devs, the next deploy will remove them. Cons include it being difficult to manage outside of the deploy process, e.g. if TS wants to add a user (caktus-backup) and it's not in devs, it'll get removed during the next deploy.

Anyways, opening the issue here since it currently differs from margarita.

jbradberry commented 6 years ago

Opened in Jira as TEQ-27.

I lean slightly towards implementing this. It simplifies removal of no longer active users at the expense (as noted) of increasing the complexity for adding accounts outside of the deployment cycle. Even that isn't as bad as it could be since it is possible to run tequila-common without any of the other roles, making it possible to have an expedited process for adding these accounts.

copelco commented 6 years ago

I haven't had a chance to test this locally, but I'm on board with the proposed direction in #8 and the logic looks good to me 👍