search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.84k stars 287 forks source link

modify management API of 'groups set-members' to support zero -member option #4921

Open puetz-partec opened 3 months ago

puetz-partec commented 3 months ago

Is your feature request related to a problem? Please describe. It is currently not easily possible to set the number of members in a group to an empty set since 'group set-member' option requires that at least one -member option is present. However it should be valid that a group is completely empty (at least for transition periods).

Describe the solution you'd like modify the interface of 'groups set-member' to accept that,if no -member option is present and interpret that as an empty member list. Currently the API returns error saying it expects at least a -member count of 1.

Describe alternatives you've considered 1) modify the interface of 'groups set-member' to either accept an -clear flag to indicate that the set of members should be empty. 2) add a 'groups clear' sub-command option to achieve the same

Explain any additional use-cases

Additional context My current workaround is to do this in two steps 1) groups set-members -member u_auth 2) groups remove-members -member u_auth not nice, but it works.

jimlambrt commented 3 months ago

Hum... we build the "set" methods like this because it allows you to prevent someone from simply forgetting to provide a list of principals which I think is very important when it comes to safety/trust in the API.

We could provide a "remove all" action I guess. It's better than setting the members to u_auth which seems like a security issue.

puetz-partec commented 3 months ago

I'd agree, that a specific "clear" sub-command option would probably be better.

PS: I am not really using u_auth for my workaround, but a pre-generated user, that has no possibility of successfully authenticating. It acts as my flavor of 'u_nobody' (which does not exist).

learhy commented 1 month ago

hey @puetz-partec, thanks for the suggestion-- it's a good one, and I'm glad you've got something in place that works for you now, even if it's not idea. We've got a packed roadmap right now but we will keep this issue open to gauge community support for the idea and will also consider it for future releases where we focus on increasing ease of use.