Listing Members of a Group
Is there a way to list all of the members of a group using the CLI? I see how to add/remove users from groups, but I don't see a way to verify that those actions succeeded.
I think this could be useful to others but my use case is rather specific. I'm trying to contribute to the 1Password Terraform provider in order to add management of users within groups. For the best user experience Terraform needs to be able to introspect on an existing state, meaning that in order to determine who to add/remove from a group it needs to first know who is in that group.
I'd love this feature to help better coordinate my 1Password account's user setup!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Ah, it looks like this was added already. Sorry for the duplicate post!
https://discussions.agilebits.com/discussion/comment/522445#Comment_522445 for the previous discussion I found, and the example usage.
I'll try and get a PR against the Terraform provider so that it benefits from this addition.
0 -
Hi @ag_ana -- actually related to this: I was able to get group members listed correctly, but when I try to add a user to the group I'm seeing unexpected behavior:
If I'm not in the group and try to add myself, it does not succeed and I see this error message:
$ export USER_ID=KDLG56VTIJDXXBXC2KKCPHNHHI $ export GROUP_ID=fmownretj6zdobn2cnjtqqyrae $ op add user $USER_ID $GROUP_ID [ERROR] 2020/07/11 11:46:04 unable to find group keyset with UUID m5wpt5rtztdra6hyoo5zk3by7q
I've tried specifying both with the group UUID and Name, and found that if I do a "get" on the group resource the "activeKeysetUuid" property in the response matches the error message.
Interestingly as well, if I'm already in the group and try to run the same command, I get no output from the CLI but in the Web UI's audit log it says that I changed my role within the group, when that role didn't change.
Thoughts about what I'm seeing? I'm so close!
EDIT: "op" version 1.2.1 and macOS 10.15.5, if that helps
0 -
Oh, excellent! Thank you for working to address it Matthew!
0 -
@taiidani I'm a software engineer working on the command line tool and just wanted to provide some more details to what you are seeing.
If I'm not in the group and try to add myself, it does not succeed and I see this error message:
That's a known (to use at least) limitation of the command line tool. You have to be a manager of the group before you can add other users to it. Without being a manager, you don't have access to the group's keyset, hence that error.
The web client achieves that by having access to a special keyset. We need to add the same functionality to the command line tool.
And of course we have to improve the error message, because it's not helpful at all.
Interestingly as well, if I'm already in the group and try to run the same command, I get no output from the CLI but in the Web UI's audit log it says that I changed my role within the group, when that role didn't change.
Following UNIX philosophy, we try to only output something if it's important and we try to make most commands "idempotent". I.e. if a user is already a member it shouldn't throw an error. However, we do currently send an update request to change the user's role to what is requested (if nothing is specified it's "member"). It looks like the server will still perform the update even if the user already has that role, hence the activity log entry.
We could possibly check the role on the client side already and avoid sending the request.0 -
@felix_1p That makes plenty of sense, and thank you for the extended description on what's happening in the internals; I greatly appreciate the insight!
Confirmed that I'm in my company's Administrators group and have not been a member (or manager) of the groups I've been testing against, so the problems I ran into track with the behavior you are seeing on your side.
I currently have a draft PR up in the provider that I've been contributing to around a new "group_member" resource. No pressure at all on a fix, but as the provider is fairly decoupled from the op binary I would be happy to test as new builds become available!
0 -
Hmm, @felix_1p I still seem to be having a problem on 1.4.0.
- Create new group. By default my "Administrators Group" user is automatically added to it as a Manager
- Remove myself from said group.
op add user TGKW5A3CPBCU5END3LLD3WCKXI eqedhnq3pno6cpciuu5jfdsram
Results in:
[ERROR] 2020/07/30 16:00:05 You don't have permission to add users to this group.I can successfully add myself to the group using the Web UI, and I also tried adding another user to the Group first which also produced the same error.
Any ideas? Any more information I can provide to help?
0 -
Confirmed, it's working great for me now! Thank you so much for the rapid turnaround on this -- I greatly appreciate it.
0
