Arvados

Background¶

Currently the install guide relies on the script/create_superuser_token.rb program in the apiserver package to generate superuser tokens for services like keep-balance and crunch-dispatch-slurm.

This program has some shortcomings:

• There is no way to specify scopes to limit token powers. Both keep-balance and crunch-dispatch-slurm should be using scoped tokens (e.g., they shouldn't be able to delete collections or create users).
• There is no way to attach a comment to a token, e.g., to note its intended use.

Proposed solution¶

Add a comment text column to the api_client_authorizations table and ApiClientAuthorization API responses.

Create a new script script/create_token.rb that takes options

• --user=zzzzz-tpzed-000000000000000 to specify uuid of target user (default = root)
• --role=keep-balance to set scopes suitable for keep-balance (see "data manager token" example in source:services/api/test/fixtures/api_client_authorizations.yml)
• --role=crunch-dispatch to set scopes suitable for crunch-dispatch (details TBD?)
• --comment="unparsed text" to set comment
• --reuse to reuse an existing unexpired token with the specified user/scopes/comment, if one exists (if not, create a new one)
• --token=string to specify the new token (if the given token already exists, confirm that it matches the specified scopes/comment/user)
• (future?) --expires-at=timestamp to set expiry time

The existing script/create_superuser_token.rb program should continue to work, using the new generic code under the hood (IOW it follows the same code path as script/create_token.rb --reuse [--token=X])

Update install docs accordingly.