Project

General

Profile

Actions

Story #12705

closed

Documentation/helper scripts for migrating users to federated identity

Added by Peter Amstutz almost 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
01/11/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-

Subtasks 2 (0 open2 closed)

Task #12774: Review 12705-user-migrate-docsResolvedTom Clegg01/11/2018

Actions
Task #12955: Review 12705-token-cacheResolvedTom Clegg01/11/2018

Actions

Related issues

Related to Arvados - Story #12702: Migrate user accountsResolvedTom Clegg01/05/2018

Actions
Related to Arvados - Story #12945: Document and test identity provider migration for user accountsDuplicate

Actions
Blocked by Arvados - Story #11453: Federated user identity which works across a network of Arvados clustersClosedTom Clegg06/20/2017

Actions
Actions #2

Updated by Peter Amstutz almost 5 years ago

  • Blocked by Story #11453: Federated user identity which works across a network of Arvados clusters added
Actions #3

Updated by Tom Morris almost 5 years ago

  • Target version set to 2017-12-20 Sprint
Actions #4

Updated by Peter Amstutz almost 5 years ago

  • Assigned To set to Peter Amstutz
Actions #5

Updated by Peter Amstutz almost 5 years ago

  • Target version changed from 2017-12-20 Sprint to 2018-01-17 Sprint
Actions #6

Updated by Peter Amstutz almost 5 years ago

  • Assigned To deleted (Peter Amstutz)
Actions #7

Updated by Tom Clegg almost 5 years ago

  • Assigned To set to Tom Clegg
Actions #8

Updated by Tom Clegg almost 5 years ago

Actions #9

Updated by Tom Clegg almost 5 years ago

  • Status changed from New to In Progress
Actions #10

Updated by Lucas Di Pentima almost 5 years ago

This LGTM, thanks.

Actions #11

Updated by Tom Clegg almost 5 years ago

  • Related to Story #12945: Document and test identity provider migration for user accounts added
Actions #12

Updated by Anonymous almost 5 years ago

  • Status changed from In Progress to Resolved
Actions #13

Updated by Tom Clegg almost 5 years ago

  • Status changed from Resolved to In Progress

After moving an errant federated account record (added by a user logging in to a remote cluster before their account has been migrated) out of the way, the remote cluster's cached token entry gets moved along with it. When the user visits with the same token, they end up using the account that was supposed to be moved out of the way. The easy workaround is to wait 5 minutes for the cache to expire. This should be documented.

However, there's also a cache bug that prevents the remote cluster's token entry from being updated even after the cache time expires. This should be fixed. (Another consequence of the bug is that the cache stops working if the authoritative cluster changes a token without changing its uuid, which isn't common but should be handled correctly.)

Actions #15

Updated by Lucas Di Pentima almost 5 years ago

This lgtm. Just a related question:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?
Actions #16

Updated by Tom Clegg almost 5 years ago

Lucas Di Pentima wrote:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?

Not quite, if remote_user['is_active'] then we don't want to deactivate the local user -- and if !Rails.config.new_users_are_active then we don't want to activate, either.

Actions #17

Updated by Anonymous almost 5 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
Actions

Also available in: Atom PDF