gravitational · atburke · Dec 6, 2023 · Dec 5, 2023
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2274,6 +2274,9 @@ enum CreateHostUserMode {
   HOST_USER_MODE_DROP = 2;
   // HOST_USER_MODE_KEEP enables host user creation and leaves users behind at session end.
   HOST_USER_MODE_KEEP = 3;
+  // HOST_USER_MODE_INSECURE enables host user creation without a home directory and deletes
+  // users at session end.
+  HOST_USER_MODE_INSECURE_DROP = 4;
 }
 
 // RoleOptions is a set of role options

diff --git a/api/types/role.go b/api/types/role.go
@@ -1513,9 +1513,10 @@ func (k *KubernetesResource) ClusterResource() string {
 }
 
 const (
-	createHostUserModeOffString  = "off"
-	createHostUserModeDropString = "drop"
-	createHostUserModeKeepString = "keep"
+	createHostUserModeOffString          = "off"
+	createHostUserModeDropString         = "drop"
+	createHostUserModeKeepString         = "keep"
+	createHostUserModeInsecureDropString = "insecure-drop"
 )
 
 func (h CreateHostUserMode) encode() (string, error) {
@@ -1528,6 +1529,8 @@ func (h CreateHostUserMode) encode() (string, error) {
 		return createHostUserModeDropString, nil
 	case CreateHostUserMode_HOST_USER_MODE_KEEP:
 		return createHostUserModeKeepString, nil
+	case CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP:
+		return createHostUserModeInsecureDropString, nil
 	}
 	return "", trace.BadParameter("invalid host user mode %v", h)
 }
@@ -1565,6 +1568,8 @@ func (h *CreateHostUserMode) decode(val any) error {
 		*h = CreateHostUserMode_HOST_USER_MODE_DROP
 	case createHostUserModeKeepString:
 		*h = CreateHostUserMode_HOST_USER_MODE_KEEP
+	case createHostUserModeInsecureDropString:
+		*h = CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP
 	default:
 		return trace.BadParameter("invalid host user mode %v", val)
 	}

diff --git a/api/types/role_test.go b/api/types/role_test.go
@@ -34,6 +34,7 @@ func TestMarshallCreateHostUserModeJSON(t *testing.T) {
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: ""},
 		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
+		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
 		got, err := json.Marshal(&tc.input)
 		require.NoError(t, err)
@@ -50,6 +51,7 @@ func TestMarshallCreateHostUserModeYAML(t *testing.T) {
 		{input: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, expected: "\"\""},
 		{input: CreateHostUserMode_HOST_USER_MODE_DROP, expected: "drop"},
 		{input: CreateHostUserMode_HOST_USER_MODE_KEEP, expected: "keep"},
+		{input: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, expected: "insecure-drop"},
 	} {
 		got, err := yaml.Marshal(&tc.input)
 		require.NoError(t, err)
@@ -68,6 +70,7 @@ func TestUnmarshallCreateHostUserModeJSON(t *testing.T) {
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "\"keep\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: 3},
 		{expected: CreateHostUserMode_HOST_USER_MODE_OFF, input: 1},
+		{expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: 4},
 	} {
 		var got CreateHostUserMode
 		err := json.Unmarshal([]byte(fmt.Sprintf("%v", tc.input)), &got)
@@ -86,6 +89,7 @@ func TestUnmarshallCreateHostUserModeYAML(t *testing.T) {
 		{expected: CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED, input: "\"\""},
 		{expected: CreateHostUserMode_HOST_USER_MODE_DROP, input: "drop"},
 		{expected: CreateHostUserMode_HOST_USER_MODE_KEEP, input: "keep"},
+		{expected: CreateHostUserMode_HOST_USER_MODE_INSECURE_DROP, input: "insecure-drop"},
 	} {
 		var got CreateHostUserMode
 		err := yaml.Unmarshal([]byte(tc.input), &got)