Feature #16803

script to push arvados tokens to shell node accounts

Added by Peter Amstutz about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
09/03/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto


Subtasks

Task #16804: Review 16803-shell-sync-tokensResolvedWard Vandewege

Associated revisions

Revision a5b73a1a
Added by Peter Amstutz about 1 year ago

Merge branch '16803-shell-sync-tokens' refs #16803

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <>

Revision 783a4b64 (diff)
Added by Ward Vandewege 5 months ago

Remove leftover dead link from the ToC in the 'Set up a shell node'
page.

refs #16803

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <>

Revision af9a350d (diff)
Added by Ward Vandewege 5 months ago

Remove leftover dead link from the ToC in the 'Set up a shell node'
page.

refs #16803

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <>

History

#1 Updated by Peter Amstutz about 1 year ago

  • Tracker changed from Bug to Feature

#3 Updated by Peter Amstutz about 1 year ago

Here's what I think we want to do:

  1. extend arvados-login-sync to include creating/installing tokens
  2. remove arvados-login-sync from the shell node cron
  3. add to API server cron
    1. ssh as root to each shell node (is in authorized_keys)
    2. set a root token in the environment
    3. run arvados-login-sync

In the future, the job of kicking off arvados-login-sync can be done in response to changes in VM permissions instead of from cron.

#4 Updated by Peter Amstutz about 1 year ago

  • Assigned To set to Peter Amstutz

#5 Updated by Peter Amstutz about 1 year ago

16803-shell-sync-tokens @ 71c57454fc3adf2d63db8b3cb1d0e8ecdff5c93f

Needs documentation update.

#6 Updated by Peter Amstutz about 1 year ago

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

https://ci.arvados.org/view/Developer/job/developer-run-tests/2067/

  • Create tokens
  • Update documentation
  • Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.

#7 Updated by Ward Vandewege about 1 year ago

Peter Amstutz wrote:

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

https://ci.arvados.org/view/Developer/job/developer-run-tests/2067/

  • Create tokens
  • Update documentation
  • Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.

services/login-sync/bin/arvados-login-sync:

  • Move

    FileUtils.chown_R(l[:username], nil, userdotconfig)
    File.chmod(0700, userdotconfig)

to the end of the logins.each loop, where all the other chown/chmods are. That way the .config directory will always have the right permissions, even if it already existed, and it also ensures that configarvados and anything under it have the right permissions.

Similarly, it would be better if

File.chmod(0600, tokenfile)

was run every time, not only when the script creates the file.

Otherwise, LGTM, thanks!

#8 Updated by Peter Amstutz about 1 year ago

  • Status changed from New to Resolved

#9 Updated by Peter Amstutz about 1 year ago

  • Release set to 25

Also available in: Atom PDF