Actions
Feature #11153
open[API] create_token script should allow operator to provide token scopes and opaque comment
Story points:
-
Release:
Release relationship:
Auto
Description
Background¶
Currently the install guide relies on the script/create_superuser_token.rb
program in the apiserver package to generate superuser tokens for services like keep-balance and crunch-dispatch-slurm.
- There is no way to specify scopes to limit token powers. Both keep-balance and crunch-dispatch-slurm should be using scoped tokens (e.g., they shouldn't be able to delete collections or create users).
- There is no way to attach a comment to a token, e.g., to note its intended use.
Proposed solution¶
Add a comment
text column to the api_client_authorizations table and ApiClientAuthorization API responses.
script/create_token.rb
that takes options
--user=zzzzz-tpzed-000000000000000
to specify uuid of target user (default = root)--role=keep-balance
to set scopes suitable for keep-balance (see "data manager token" example in source:services/api/test/fixtures/api_client_authorizations.yml)--role=crunch-dispatch
to set scopes suitable for crunch-dispatch (details TBD?)--comment="unparsed text"
to set comment--reuse
to reuse an existing unexpired token with the specified user/scopes/comment, if one exists (if not, create a new one)--token=string
to specify the new token (if the given token already exists, confirm that it matches the specified scopes/comment/user)- (future?)
--expires-at=timestamp
to set expiry time
The existing script/create_superuser_token.rb
program should continue to work, using the new generic code under the hood (IOW it follows the same code path as script/create_token.rb --reuse [--token=X]
)
Update install docs accordingly.
Updated by Tom Clegg over 7 years ago
- Description updated (diff)
- Category set to Deployment
Updated by Tom Morris about 7 years ago
- Target version set to Arvados Future Sprints
Updated by Ward Vandewege over 3 years ago
- Target version deleted (
Arvados Future Sprints)
Actions