-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delete user if inactive only #61
base: master
Are you sure you want to change the base?
Delete user if inactive only #61
Conversation
@ChrisPates could you review this PR pls ? |
@ChrisPates What are your thoughts on this code optimisation? |
So I have a number of issues to address around how the adds/updates/deletes are determined. The part that is really the source of this undesirable behaviour is the call to retrieve deleted users from the Google side. So I'm looking at performing a full comparison (which wasn't possible before the introduction of the identityStore api) and potentially making use of the external identifier fields in identity store so matching is more accurate. Also this would provide a route back from the use of DisplayName which allows duplicates on the Google side (since they key on primary email address) but on the identity store side it must because it keys on displayName. |
Awesome looking forward to it @ChrisPates - indeed relying on just the users list API call on the Google side (with Will keep an eye on this thread. |
I've had to update the workflows, can you update your fork from master and update this PR, I'll get it merged into the main code base. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks, good once the PR has been updated from master. I'll run through the dev pipeline and get it merged in to master.
Thanks @ChrisPates - I'll get this done as soon as possible. |
Issue #59
Description of changes:
Problem
Noticed that if we delete a user on the Google side and then recreate it with the exact same details the following occurs:
ssosync will consider that user as inactive based on the API response, hence deleting it from AWS SSO
https://github.com/awslabs/ssosync/blob/master/internal/sync.go#L70-L103
https://github.com/awslabs/ssosync/blob/master/internal/google/client.go#L64-L73
ssosync will then list all the active users and it will see that it needs to add again the user that has just been deleted in the previous step.
https://github.com/awslabs/ssosync/blob/master/internal/sync.go#L105-L152
At this stage user will have no permission sets assigned on AWS SSO, and this will happen every time we run ssosync.
Possible Solution
I believe that it would be beneficial to change the
SyncUsers
function so it checks that all of the API returned deleted users are in fact inactive, and for the ones that are now active it just ignores them by building a new list of deleted users which we can iterate over just like its being done atm.