Learn more about these different git repos.
Other Git URLs
If an administrator accidentally brings a new Koji builder online without running koji add-host first, then the hub will auto-create a new account with USERTYPES['NORMAL']. The only way to reset the user type to "HOST" is to edit the users SQL table directly.
koji add-host
USERTYPES['NORMAL']
HOST
users
Strawman proposal:
Update koji/auth.py's sslLogin() method to take an optional usertype parameter. Update the builder code to pass "usertype=USERTYPES['HOST']" to sslLogin(). If the hub finds that there is no existing users record with a matching usertype, then fail the login (rather than inserting a normal users record).
koji/auth.py
sslLogin()
usertype
usertype=USERTYPES['HOST']
Version compatibility notes: This would allow old builders to continue to authenticate against new hubs. It would not allow new builders to connect to old hubs.
i've tried to fix it with #1874 - if user is already created, you can use add-host --force now
add-host --force
Metadata Update from @tkopecek: - Custom field Size adjusted to None
Thank you!
I tested the command out. It raises an error on my hub.
$ kojidev add-host --force kojidev.example.com x86_64 2020-04-29 14:40:59,884 [ERROR] koji: Fault: <Fault 1: '<class \'psycopg2.IntegrityError\'>: duplicate key value violates unique constraint "user_krb_principals_krb_principal_key"\nDETAIL: Key (krb_principal)=(compile/kojidev.example.com@KOJIDEV.EXAMPLE.COM) already exists.\n'>
I'm concerned that Kerberos may not work properly because the user account will have a "compile/" prefix. For example:
> select * from users; id | name | password | status | usertype ----+-----------------------------+----------+--------+---------- 1 | kdreyer | | 0 | 0 2 | koji/kojira | | 0 | 0 3 | koji/garbagecollector | | 0 | 0 4 | compile/kojidev.example.com | | 0 | 0
... the "name" column should not have the "compile/" prefix if this is a valid builder account.
What do you think about the idea of preventing this earlier on kojid startup with sslLogin?
sslLogin
See also #2311
Login to comment on this ticket.