Removing Users (not disabling)

I have just installed a basic Sensu setup for evaluation for multiple possible uses. During setup a number of test users were created, but I’m seeing that it doesn’t seem possible either from sensuctl or from the API to truly delete a user.

I’ve seen the rationale for not making it easy to delete a user and even if I disagree with it I understand it. However, this makes security auditing of our installation deeply problematic. As pedantic as it may be, we have a hard requirement that ex-employees aren’t “disabled” but, after a safety window, permanently deleted, do not pass go do not collect 200 dollars.

How does one delete a user? Is there a configuration file somewhere from which it can be removed? Or a client for the underlying etcd database and a query that will remove the user and whatever dangling references need to be cleaned up?

Without an ability - even a tricky, hacked together one - to truly delete a user from the user list this may be a hard barrier to adoption. Which may be ridiculous in terms of internal policy (which I will admit) but it also seems ridiculous that I can’t delete users, so let’s agree to meet half way on this one :wink:


So the hacky way right now is to use etcdctl and manually delete the user key

Let me walk you through my setup with a tester user:

sensuctl user list

   Username         Groups       Enabled  
 ────────────── ──────────────── ───────── 
  admin          cluster-admins   true     
  tester         testers          true     

Here’s how get get a list of all the users using etcdctl

etcdctl get --prefix /



So now if i want to delete the tester user I can do this

etcdctl del /

If your usernames follow a good prefix pattern you can delete multiple keys with prefix option, but that’s a bit dangerous.

Note: remember to delete any granted Sensu api-keys as well.