Project

General

Profile

Actions
Copy link

Idea #12705

closed

Documentation/helper scripts for migrating users to federated identity

Added by Peter Amstutz over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Tom Clegg
Category:
-
Target version:
2018-01-17 Sprint
Story points:
-

Subtasks 2 (0 open2 closed)

Task #12774: Review 12705-user-migrate-docsResolvedTom Clegg01/11/2018Actions
Task #12955: Review 12705-token-cacheResolvedTom Clegg01/11/2018Actions

Related issues

Related to Arvados - Idea #12702: Migrate user accountsResolvedTom Clegg01/05/2018Actions
Related to Arvados - Idea #12945: Document and test identity provider migration for user accountsDuplicateActions
Blocked by Arvados - Idea #11453: Federated user identity which works across a network of Arvados clustersClosedTom Clegg06/20/2017Actions
Actions
Copy link
 #2

Updated by Peter Amstutz over 6 years ago

  • Blocked by Idea #11453: Federated user identity which works across a network of Arvados clusters added
Actions
Copy link
 #3

Updated by Tom Morris over 6 years ago

  • Target version set to 2017-12-20 Sprint
Actions
Copy link
 #4

Updated by Peter Amstutz over 6 years ago

  • Assigned To set to Peter Amstutz
Actions
Copy link
 #5

Updated by Peter Amstutz over 6 years ago

  • Target version changed from 2017-12-20 Sprint to 2018-01-17 Sprint
Actions
Copy link
 #6

Updated by Peter Amstutz over 6 years ago

  • Assigned To deleted (Peter Amstutz)
Actions
Copy link
 #7

Updated by Tom Clegg over 6 years ago

  • Assigned To set to Tom Clegg
Actions
Copy link
 #8

Updated by Tom Clegg over 6 years ago

Actions
Copy link
 #9

Updated by Tom Clegg over 6 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #10

Updated by Lucas Di Pentima over 6 years ago

This LGTM, thanks.

Actions
Copy link
 #11

Updated by Tom Clegg over 6 years ago

  • Related to Idea #12945: Document and test identity provider migration for user accounts added
Actions
Copy link
 #12

Updated by Anonymous over 6 years ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #13

Updated by Tom Clegg over 6 years ago

  • Status changed from Resolved to In Progress

After moving an errant federated account record (added by a user logging in to a remote cluster before their account has been migrated) out of the way, the remote cluster's cached token entry gets moved along with it. When the user visits with the same token, they end up using the account that was supposed to be moved out of the way. The easy workaround is to wait 5 minutes for the cache to expire. This should be documented.

However, there's also a cache bug that prevents the remote cluster's token entry from being updated even after the cache time expires. This should be fixed. (Another consequence of the bug is that the cache stops working if the authoritative cluster changes a token without changing its uuid, which isn't common but should be handled correctly.)

Actions
Copy link
 #15

Updated by Lucas Di Pentima over 6 years ago

This lgtm. Just a related question:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?
Actions
Copy link
 #16

Updated by Tom Clegg over 6 years ago

Lucas Di Pentima wrote:

  • File services/api/app/models/api_client_authorization.rb
    • Line 167: Isn’t that elsif superfluous? shouldn’t it be just an else clause?

Not quite, if remote_user['is_active'] then we don't want to deactivate the local user -- and if !Rails.config.new_users_are_active then we don't want to activate, either.

Actions
Copy link
 #17

Updated by Anonymous over 6 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
Actions
Copy link

Also available in: Atom PDF