This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Force Creation of OS-Login usernames

Posted on 03-13-2023 11:27 AM
jacksonwb
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I am using OS-login to manage all VM ssh access. It's great.

I would like to preconfigure some VM home files for new users. This involves creating a network based home directory and assigning some files to a users UID.

The issue I am having is that before a user has username and uid assigned to them, which I can use for network file permissions for their files, they appear to need to log in to a machine.

After that it seems the nss cache can be updated with `sudo google_oslogin_nss_cache` and then their user info is viewable with `getent passwd`.

I wanted to better understand exactly when the user id is populated and made available for nss? Am I correctly understanding that it is on first login? Is there anyway to force the creation of an os_login username for a new user who exists on a GCP project (has IAM roles), but has not yet logged into any machines?

0 3 651
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kolban
Staff
Reply posted on --/--/---- --:-- AM

This article may help us:

https://cloud.google.com/compute/docs/oslogin/manage-oslogin-in-an-org

It seems to say that we can define properties that will apply when a user logs in.  This includes the userid being used as well as the UID and GID values.  So, in principle, depending on your corpus of users ... if they are configured in your Google Cloud domain you can pre-assign them these values and all should be good.

0 Likes

Posted on --/--/---- --:-- AM
jacksonwb
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Ok makes sense. So what you're describing would be to make a call to the `update` method of the Workspace Directory API and add a `PosixAccounts` object to a user who exists on workspace. Via the method described here?

https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update

0 Likes

Posted on --/--/---- --:-- AM
kolban
Staff
In response to jacksonwb
Reply posted on --/--/---- --:-- AM

Howdy Jackson ... I'm going to yes (in Italtics).   I personally haven't tried it before ... but the theory sounds good.  What I'd suggest is that instead of writing a lot of code to do this, we use some "CURL" commands and do some experimentation first.  The documentation seems to hold up, but if I were sitting in your seat, I'd choose a sample user ... given them "Posix" attributes, perform a Compute Engine SSH OS-Login and validate that they have the correct UID/GID that we expect.

Top Labels in this Space
Top Solution Authors
View all