Story #12705

Documentation/helper scripts for migrating users to federated identity

Added by Peter Amstutz over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
01/11/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-

Subtasks

Task #12774: Review 12705-user-migrate-docsResolvedTom Clegg

Task #12955: Review 12705-token-cacheResolvedTom Clegg


Related issues

Related to Arvados - Story #12702: Migrate user accountsResolved01/05/2018

Related to Arvados - Story #12945: Document and test identity provider migration for user accountsDuplicate

Blocked by Arvados - Story #11453: Federated user identity which works across a network of Arvados clustersClosed06/20/2017

Associated revisions

Revision 707e31da
Added by Tom Clegg over 2 years ago

Merge branch '12705-user-migrate-docs'

closes #12705

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

Revision d179241c
Added by Tom Clegg over 2 years ago

Merge branch '12705-token-cache'

closes #12705

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

History

#2 Updated by Peter Amstutz over 2 years ago

  • Blocked by Story #11453: Federated user identity which works across a network of Arvados clusters added

#3 Updated by Tom Morris over 2 years ago

  • Target version set to 2017-12-20 Sprint

#4 Updated by Peter Amstutz over 2 years ago

  • Assigned To set to Peter Amstutz

#5 Updated by Peter Amstutz over 2 years ago

  • Target version changed from 2017-12-20 Sprint to 2018-01-17 Sprint

#6 Updated by Peter Amstutz over 2 years ago

  • Assigned To deleted (Peter Amstutz)

#7 Updated by Tom Clegg over 2 years ago

  • Assigned To set to Tom Clegg

#8 Updated by Tom Clegg over 2 years ago

#9 Updated by Tom Clegg over 2 years ago

  • Status changed from New to In Progress

#10 Updated by Lucas Di Pentima over 2 years ago

This LGTM, thanks.

#11 Updated by Tom Clegg over 2 years ago

  • Related to Story #12945: Document and test identity provider migration for user accounts added

#12 Updated by Anonymous over 2 years ago

  • Status changed from In Progress to Resolved

#13 Updated by Tom Clegg over 2 years ago

  • Status changed from Resolved to In Progress

After moving an errant federated account record (added by a user logging in to a remote cluster before their account has been migrated) out of the way, the remote cluster's cached token entry gets moved along with it. When the user visits with the same token, they end up using the account that was supposed to be moved out of the way. The easy workaround is to wait 5 minutes for the cache to expire. This should be documented.

However, there's also a cache bug that prevents the remote cluster's token entry from being updated even after the cache time expires. This should be fixed. (Another consequence of the bug is that the cache stops working if the authoritative cluster changes a token without changing its uuid, which isn't common but should be handled correctly.)

#15 Updated by Lucas Di Pentima over 2 years ago

This lgtm. Just a related question:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?

#16 Updated by Tom Clegg over 2 years ago

Lucas Di Pentima wrote:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?

Not quite, if remote_user['is_active'] then we don't want to deactivate the local user -- and if !Rails.config.new_users_are_active then we don't want to activate, either.

#17 Updated by Anonymous over 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100

Also available in: Atom PDF