Strawman proposal:

Update koji/auth.py's sslLogin() method to take an optional usertype parameter. Update the builder code to pass "usertype=USERTYPES['HOST']" to sslLogin(). If the hub finds that there is no existing users record with a matching usertype, then fail the login (rather than inserting a normal users record).

Version compatibility notes:
This would allow old builders to continue to authenticate against new hubs. It would not allow new builders to connect to old hubs.

i've tried to fix it with #1874 - if user is already created, you can use add-host --force now

Thank you!

I tested the command out. It raises an error on my hub.

$ kojidev add-host --force kojidev.example.com x86_64
2020-04-29 14:40:59,884 [ERROR] koji: Fault: <Fault 1: '<class \'psycopg2.IntegrityError\'>: duplicate key value violates unique constraint "user_krb_principals_krb_principal_key"\nDETAIL:  Key (krb_principal)=(compile/kojidev.example.com@KOJIDEV.EXAMPLE.COM) already exists.\n'>

I'm concerned that Kerberos may not work properly because the user account will have a "compile/" prefix. For example:

> select * from users;
 id |            name             | password | status | usertype 
----+-----------------------------+----------+--------+----------
  1 | kdreyer                     |          |      0 |        0
  2 | koji/kojira                 |          |      0 |        0
  3 | koji/garbagecollector       |          |      0 |        0
  4 | compile/kojidev.example.com |          |      0 |        0

... the "name" column should not have the "compile/" prefix if this is a valid builder account.

What do you think about the idea of preventing this earlier on kojid startup with sslLogin?

See also #2311