Open phall-teleport opened 2 months ago
I don't know that an empty host_groups option should be used to distinguish that Teleport is allowed to manage the user but not it's groups. That's a potentially confusing and breaking change to make as some people might actually want an empty host_groups option to delete any groups manually applied by a human.
I don't know that an empty host_groups option should be used to distinguish that Teleport is allowed to manage the user but not it's groups. That's a potentially confusing and breaking change to make as some people might actually want an empty host_groups option to delete any groups manually applied by a human.
An alternative could be to introduce an option manage_groups
that could disable group management, regardless of the host_groups
option. This would allow the administrators to be explicit about their intentions.
What would you like Teleport to do? When I omit the spec.allow.host_groups parameter from a role definition (thereby signaling my intention to not have Teleport manage groups), I would expect Teleport to ignore anything to do with groups, whereas you now treat an omission as a default empty set and process it as such.
What problem does this solve? Teleport unnecessarily creating log noise by removing a group every time a certain type of user logs in and out of a system
If a workaround exists, please include it. Allowing Teleport to manage group membership, but this becomes cumbersome in a larger environment where some hosts should allow a certain group to be created and others shouldn't.