Automatic User Account Placement: Feature or a bug?

In MergeTB, when a materialization is created, all nodes that are capable of having some sort of user account have accounts created for every user in the project to which the experiment belongs. This is often highly convenient. However, this is not, in general, the way that software is deployed. When real world systems are deployed, the developers of the system do not have accounts in deployment environments. In some cases for ‘operated’ systems, there will be operator accounts, but this is by no means a universal rule.

So it would seem that placement of user accounts on nodes should be configurable. At the very least to support experiments in which the current automated user account creation would violate the validity of the experiment environment and experimenters then have to go in and explicitly delete accounts that were automatically created.

At the very least, making it configurable would be good Having a toggle for “do not install user accounts” should be easy to implement, The default should be to create accounts though - as most people want things to just work.

How would users access experiment nodes that do not have accounts auto-created?

It seems to me that if accounts are not automatically created, then there should be a mechanism to define at least one specific account (with an associated ssh pubkey supplied to access that account.) And if the mechanism can create one, it can create multiple, e.g. schwabtest with the schwab ssh-pubkey becomes a stanza somewhere, and there is a flag that defaults to true but can be overridden false { “auto-create-accounts=false” }…