Listing Members of a Group

Is there a way to list all of the members of a group using the CLI? I see how to add/remove users from groups, but I don't see a way to verify that those actions succeeded.

I think this could be useful to others but my use case is rather specific. I'm trying to contribute to the 1Password Terraform provider in order to add management of users within groups. For the best user experience Terraform needs to be able to introspect on an existing state, meaning that in order to determine who to add/remove from a group it needs to first know who is in that group.

I'd love this feature to help better coordinate my 1Password account's user setup!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ah, it looks like this was added already. Sorry for the duplicate post!

    https://discussions.agilebits.com/discussion/comment/522445#Comment_522445 for the previous discussion I found, and the example usage.

    I'll try and get a PR against the Terraform provider so that it benefits from this addition.

  • ag_anaag_ana

    Team Member

    Hi @taiidani!

    No worries at all! I am glad you managed to find the other discussion, and that it was helpful :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • taiidanitaiidani
    edited July 11

    Hi @ag_ana -- actually related to this: I was able to get group members listed correctly, but when I try to add a user to the group I'm seeing unexpected behavior:

    If I'm not in the group and try to add myself, it does not succeed and I see this error message:

    $ export USER_ID=KDLG56VTIJDXXBXC2KKCPHNHHI
    $ export GROUP_ID=fmownretj6zdobn2cnjtqqyrae
    $ op add user $USER_ID $GROUP_ID
    [ERROR] 2020/07/11 11:46:04 unable to find group keyset with UUID m5wpt5rtztdra6hyoo5zk3by7q
    

    I've tried specifying both with the group UUID and Name, and found that if I do a "get" on the group resource the "activeKeysetUuid" property in the response matches the error message.

    Interestingly as well, if I'm already in the group and try to run the same command, I get no output from the CLI but in the Web UI's audit log it says that I changed my role within the group, when that role didn't change.

    Thoughts about what I'm seeing? I'm so close!

    EDIT: "op" version 1.2.1 and macOS 10.15.5, if that helps

  • Matthew_1PMatthew_1P

    Team Member

    Hey @taiidani, thanks for the report — I was able to reproduce this, so I've gone ahead and passed it on to our developers. Sorry for the trouble in the meantime! :sweat:

    If there's anything else we can help with, just give us a shout. :smile:

    ref: dev/b5/op#833

  • Oh, excellent! Thank you for working to address it Matthew!

  • ag_anaag_ana

    Team Member

    On behalf of Matthew, you are welcome @taiidani! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • felix_1pfelix_1p

    Team Member

    @taiidani I'm a software engineer working on the command line tool and just wanted to provide some more details to what you are seeing.

    If I'm not in the group and try to add myself, it does not succeed and I see this error message:

    That's a known (to use at least) limitation of the command line tool. You have to be a manager of the group before you can add other users to it. Without being a manager, you don't have access to the group's keyset, hence that error.

    The web client achieves that by having access to a special keyset. We need to add the same functionality to the command line tool.

    And of course we have to improve the error message, because it's not helpful at all.

    Interestingly as well, if I'm already in the group and try to run the same command, I get no output from the CLI but in the Web UI's audit log it says that I changed my role within the group, when that role didn't change.

    Following UNIX philosophy, we try to only output something if it's important and we try to make most commands "idempotent". I.e. if a user is already a member it shouldn't throw an error. However, we do currently send an update request to change the user's role to what is requested (if nothing is specified it's "member"). It looks like the server will still perform the update even if the user already has that role, hence the activity log entry.
    We could possibly check the role on the client side already and avoid sending the request.

  • @felix_1p That makes plenty of sense, and thank you for the extended description on what's happening in the internals; I greatly appreciate the insight!

    Confirmed that I'm in my company's Administrators group and have not been a member (or manager) of the groups I've been testing against, so the problems I ran into track with the behavior you are seeing on your side.

    I currently have a draft PR up in the provider that I've been contributing to around a new "group_member" resource. No pressure at all on a fix, but as the provider is fairly decoupled from the op binary I would be happy to test as new builds become available!

  • felix_1pfelix_1p

    Team Member

    @taiidani We have just release v1.4.0 which adds the ability to add users to any groups, whether you are a member or not.

  • Hmm, @felix_1p I still seem to be having a problem on 1.4.0.

    1. Create new group. By default my "Administrators Group" user is automatically added to it as a Manager
    2. Remove myself from said group.
    3. op add user TGKW5A3CPBCU5END3LLD3WCKXI eqedhnq3pno6cpciuu5jfdsram

    Results in: [ERROR] 2020/07/30 16:00:05 You don't have permission to add users to this group.

    I can successfully add myself to the group using the Web UI, and I also tried adding another user to the Group first which also produced the same error.

    Any ideas? Any more information I can provide to help?

  • felix_1pfelix_1p

    Team Member

    @taiidani I was able to reproduce the issue. Contrary to what I said in the release notes, it looks like we only fixed this issue for owners, not for admins. I'm really sorry about that. I have reached out to my colleagues to figure out what I'm missing here.

  • felix_1pfelix_1p

    Team Member

    @taiidani You may have noticed this already, but we fixed the issue for admins. We were able to fix this on the server side, so no new command line tool version is necessary.

  • Confirmed, it's working great for me now! Thank you so much for the rapid turnaround on this -- I greatly appreciate it.

  • ag_anaag_ana

    Team Member

    Thank you for the update @taiidani! I am glad to hear this :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file