Project

General

Profile

Actions

Feature #16803

closed

script to push arvados tokens to shell node accounts

Added by Peter Amstutz over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Files


Subtasks 1 (0 open1 closed)

Task #16804: Review 16803-shell-sync-tokensResolvedWard Vandewege09/03/2020Actions
Actions #1

Updated by Peter Amstutz over 3 years ago

  • Tracker changed from Bug to Feature
Actions #3

Updated by Peter Amstutz over 3 years ago

Here's what I think we want to do:

  1. extend arvados-login-sync to include creating/installing tokens
  2. remove arvados-login-sync from the shell node cron
  3. add to API server cron
    1. ssh as root to each shell node (is in authorized_keys)
    2. set a root token in the environment
    3. run arvados-login-sync

In the future, the job of kicking off arvados-login-sync can be done in response to changes in VM permissions instead of from cron.

Actions #4

Updated by Peter Amstutz over 3 years ago

  • Assigned To set to Peter Amstutz
Actions #5

Updated by Peter Amstutz over 3 years ago

16803-shell-sync-tokens @ 71c57454fc3adf2d63db8b3cb1d0e8ecdff5c93f

Needs documentation update.

Actions #6

Updated by Peter Amstutz over 3 years ago

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

developer-run-tests: #2067

  • Create tokens
  • Update documentation
  • Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.
Actions #7

Updated by Ward Vandewege over 3 years ago

Peter Amstutz wrote:

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

developer-run-tests: #2067

  • Create tokens
  • Update documentation
  • Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.

services/login-sync/bin/arvados-login-sync:

  • Move

    FileUtils.chown_R(l[:username], nil, userdotconfig)
    File.chmod(0700, userdotconfig)

to the end of the logins.each loop, where all the other chown/chmods are. That way the .config directory will always have the right permissions, even if it already existed, and it also ensures that configarvados and anything under it have the right permissions.

Similarly, it would be better if

File.chmod(0600, tokenfile)

was run every time, not only when the script creates the file.

Otherwise, LGTM, thanks!

Actions #8

Updated by Peter Amstutz over 3 years ago

  • Status changed from New to Resolved
Actions #9

Updated by Peter Amstutz over 3 years ago

  • Release set to 25
Actions

Also available in: Atom PDF