Extend userd with Google directory integration

[crabhi]

Hi @alexlance, I plan to create a similar tool to yours. In fact, I found userd because I thought it would be a cool name and googled it to find if someone is already using it. :-)

What I'd like to have:

• define the users in Google directory
• have a config file in /etc on each server that defines how Google groups map to system groups and which groups are relevant for this server, also list what users are not managed by this tool
• download authorized keys from Github (https://github.com/alexlance.keys)
• [maybe later] notify to Slack about warnings (such as if a system user like www-data has any authorized keys)
• [maybe later] extend similar approach to PostgreSQL user/role management

I think I could extend your tool with this functionality (abstract the config provider based on command line flag).

My question is - would you like that we coordinate with the aim to merge such changes to your tool or should I keep mine separate? Thank you.

[alexlance]

Ah that sounds very interesting - but also sounds like a fairly large leap in functionality for userd.

I would love to collaborate with you (or anyone else who can write and code:) but I also have to be practical in acknowledging that this project's aims might not line up with what you're trying to achieve.

But feel free to fork userd or pinch bits of it etc, it'd be awesome to see how you end up approaching the problem.

There's also a thought in the back of my mind about incorporating AWS IAM user accounts into userd - as a separate authentication provider. So eg, you could have different auth providers like:

• github
• AWS IAM
• Google directory
• ?

I kind of wonder how that would shake out, but generally in the case of user management, I want the solution to be as absolutely simple, secure and fail-proof as possible.

Also I just like github as an authentication provider - the accountability and auditability of a git repo, as well as being able to receive PRs to grant access are just outstanding mechanisms for user account management.

Anyway just thinking out loud - I'd probably prefer to keep userd quite simple - but feel free to push against my thinking if you've got an approach that you're excited about.

[crabhi]

Thanks for your response. The github repo approach is nice and the accountability is a clear benefit. I'm doing this for a startup of ~180 people, growing at ten a month. All the people have to be registered in the central directory (and I hope there is some audit log too ;-)). When they're already there, maintaining an extra git repo becomes extra work. What's worse, you can forget to remove someone's account if they leave. This is actually huge because there's a ton of external services.

We have the user config in Ansible in GIthub repo so far and we'd like to move away of it.

Anyway, I'll go ahead forking your repo and I'd love if you could have a look at a PR afterwards. Maybe you could spot some security issue even if you don't end up merging this into your codebase. Because of the christmas season, I don't think any PR will be ready soon, though. 🎄