Closed rosstimothy closed 2 months ago
Going forward Teleport should only reconcile groups if the user can be identified as managed by Teleport. Presently this is only possible for users created when using DROP or INSECURE DROP mode because they get added to a teleport-system
group. Users created in KEEP mode are not added to any groups, so Teleport cannot determine if an existing user is managed by Teleport or not.
To fix this issue Teleport should start adding users created in KEEP mode to a teleport-managed
group. Any users previously created by Teleport have three options for migrating to being managed by Teleport:
1) update host_groups
in the users role to include teleport-managed
2) manually delete the local user from the host
3) manually add the local user to the teleport-managed
group
This also applies to static host users which will exist in the near future. These users are going to be added to the teleport-static
group so they will be identifiable out of the gate.
After https://github.com/gravitational/teleport/issues/41178 was resolved, Teleport will attempt to reconcile groups for users when host user creation is enabled. However, as pointed out by @strideynet in https://github.com/gravitational/teleport/issues/45411#issuecomment-2285899405:
Introduced by https://github.com/gravitational/teleport/pull/41919