Removing Users (not disabling)

erikharrison · May 4, 2020, 5:23pm

I have just installed a basic Sensu setup for evaluation for multiple possible uses. During setup a number of test users were created, but I’m seeing that it doesn’t seem possible either from sensuctl or from the API to truly delete a user.

I’ve seen the rationale for not making it easy to delete a user and even if I disagree with it I understand it. However, this makes security auditing of our installation deeply problematic. As pedantic as it may be, we have a hard requirement that ex-employees aren’t “disabled” but, after a safety window, permanently deleted, do not pass go do not collect 200 dollars.

How does one delete a user? Is there a configuration file somewhere from which it can be removed? Or a client for the underlying etcd database and a query that will remove the user and whatever dangling references need to be cleaned up?

Without an ability - even a tricky, hacked together one - to truly delete a user from the user list this may be a hard barrier to adoption. Which may be ridiculous in terms of internal policy (which I will admit) but it also seems ridiculous that I can’t delete users, so let’s agree to meet half way on this one

jspaleta · May 4, 2020, 9:25pm

Hey,

So the hacky way right now is to use etcdctl and manually delete the user key

Let me walk you through my setup with a tester user:

sensuctl user list

   Username         Groups       Enabled  
 ────────────── ──────────────── ───────── 
  admin          cluster-admins   true     
...
  tester         testers          true

Here’s how get get a list of all the users using etcdctl

etcdctl get --prefix /sensu.io/users
/sensu.io/users/admin

admin<$2a$10$hdcdzcRL7DPw0mmcCEms8egufc38/fV8eWfiGnYRfSP0yOhWir.dW�cluster-admins
...
/sensu.io/users/tester

tester<$2a$10$ET5KDW/3yTO4zc.7Pd/xguRO3Dm4SjCBoq.nTnWZ5WvaHN7mIHUo2�testers

So now if i want to delete the tester user I can do this

etcdctl del /sensu.io/users/tester

If your usernames follow a good prefix pattern you can delete multiple keys with prefix option, but that’s a bit dangerous.

Note: remember to delete any granted Sensu api-keys as well.

Topic		Replies	Views
User data location - move to postgres Sensu Go	3	271	September 10, 2021
Automating `sensuctl` configuration for administrative tasks Sensu Go	0	911	February 6, 2019
Are these bugs in 5.12? Sensu Go	2	460	September 12, 2019
Delete namespace and all its contents Sensu Go sensu-go , sensuctl	3	921	December 29, 2020
Audit logs for user creation, deletion, login failures etc Sensu Go enterprise	3	831	March 1, 2019

Removing Users (not disabling)

Related Topics