Skip to content

KC-1330 bugfix: Launch/Admin credential don't stick after pam connection edit#2181

Open
idimov-keeper wants to merge 1 commit into
releasefrom
KC-1330-launch-credential-not-attached-on-first-pam-connection-edit-admin-missing-when-admin-and-launch-are-the-same-pam-user
Open

KC-1330 bugfix: Launch/Admin credential don't stick after pam connection edit#2181
idimov-keeper wants to merge 1 commit into
releasefrom
KC-1330-launch-credential-not-attached-on-first-pam-connection-edit-admin-missing-when-admin-and-launch-are-the-same-pam-user

Conversation

@idimov-keeper

Copy link
Copy Markdown
Contributor

Fixes KC-1330: pam connection edit now attaches admin and launch credentials on the first run when configure_resource is used.
After krouter sets credential flags, the local link_user() follow-up was writing only { belongs_to: true }, which clobbered is_launch_credential on the launch user's ACL edge. When admin and launch are the same pamUser, is_admin was also lost.
The follow-up now preserves krouter flags:

  • Different users: belongs_to + is_launch_credential on the launch edge
  • Same user: also is_admin when admin_uid == launch_uid

Root cause

TunnelDAG.set_launch_credentials() uses a two-step flow:

  1. krouter configure_resource with connectUsers and optional adminUid
  2. Local link_user() + DAG save() on the launch user's ACL edge
    Issue 1 (different users): follow-up overwrote the edge without is_launch_credential.
    Issue 2 (same user): krouter does not set is_admin when the user is in connectUsers; the follow-up must preserve it locally.

…admin missing when admin and launch are the same pamUser

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant