Story #6781

[Documentation] Document user shell account creation script

Added by Brett Smith about 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Documentation
Target version:
Start date:
08/13/2015
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
1.0

Description

Our shell servers run a regular cron job to add Unix user accounts for users who have permission to log in to the corresponding Arvados VirtualMachine record. Currently this setup is undocumented and the script does not ship with Arvados.

To fix:
  • Create a gem in services/arvados-login-sync/ containing a bin/arvados-login-sync executable (see http://guides.rubygems.org/make-your-own-gem/#adding-an-executable) that is a small wrapper around some easy-to-test code in lib/arvados/login_sync.rb
  • Add both Gemfile and Gemfile.lock to git because this is an application, not a library.
  • Add tests in test/test_arvados-login_sync.rb -- maybe poor coverage for now, but at least something so the usual "bundle exec rake test" can succeed in jenkins.
  • Add services/arvados-login_sync to run-tests.sh.
  • Add arvados-login-sync to the "build packages" scripts in arvados-dev.
  • Add documentation about installing the resulting deb/rpm package, and configuring it to run in cron, to the shell server installation documentation.
This should leave us with two standard options for installing the sync program:
  • gem install arvados-login_sync
  • apt-get install arvados-login-sync
Configuration:
  • For an initial implementation the login-sync program should get its API token from the usual environment variable. The cron job's command line can set this up either by including a literal token or by loading it from a config file with "read" or "source".

Ideally the deb and rpm packages will install/remove the cron job automatically when installing/removing the package, but this story already includes enough new packaging skills without that.

Refs

Subtasks

Task #6899: Modify sync script to use env vars instead of yamlResolvedTom Clegg

Task #6902: Build and publish deb and rpmResolvedTom Clegg

Task #6900: Build and publish gemResolvedTom Clegg

Task #6901: Add testsResolvedTom Clegg

Task #6985: Add to "shell server" install doc pageResolvedTom Clegg

Task #6897: Review 6781-arvados-login-sync (on arvados-dev and arvados)ResolvedTom Clegg

Associated revisions

Revision 1c4f6b59 (diff)
Added by Ward Vandewege about 4 years ago

Stop building broken debs for our gems. We don't use them and they have
never worked. We can reintroduce a working version later.

refs #6781

Revision feac2242 (diff)
Added by Ward Vandewege almost 4 years ago

Stop building broken debs for our gems. We don't use them and they have
never worked. We can reintroduce a working version later.

refs #6781

Revision feac2242 (diff)
Added by Ward Vandewege almost 4 years ago

Stop building broken debs for our gems. We don't use them and they have
never worked. We can reintroduce a working version later.

refs #6781

Revision bab8ca35
Added by Tom Clegg almost 4 years ago

Merge branch '6781-arvados-login-sync' refs #6781

Revision bab8ca35
Added by Tom Clegg almost 4 years ago

Merge branch '6781-arvados-login-sync' refs #6781

Revision cf2d5c1b
Added by Tom Clegg almost 4 years ago

Merge branch '6781-arvados-login-sync' refs #6781

History

#1 Updated by Brett Smith about 4 years ago

  • Description updated (diff)
  • Category set to Documentation

#2 Updated by Tom Clegg about 4 years ago

  • Description updated (diff)

#3 Updated by Tom Clegg about 4 years ago

  • Description updated (diff)

#4 Updated by Tom Clegg about 4 years ago

  • Description updated (diff)

#5 Updated by Tom Clegg about 4 years ago

  • Assigned To set to Tom Clegg

#6 Updated by Tom Clegg about 4 years ago

  • Status changed from New to In Progress

#7 Updated by Ward Vandewege about 4 years ago

I reviewed both branches and pushed a commit to each of them:

  • arvados: the scope in the doc was wrong (missing /logins at the end)
  • arvados-dev: I removed the code that builds the (broken) debs from our gems

LGTM with those patches added.

#8 Updated by Radhika Chippada about 4 years ago

  • Target version changed from 2015-08-19 sprint to 2015-09-02 sprint

Moving to sprint 2015-09-02 so that Tom can readdress it when he is back from his break. Leaving the story point assignment as is for now.

#9 Updated by Tom Clegg about 4 years ago

Ward Vandewege wrote:

  • arvados: the scope in the doc was wrong (missing /logins at the end)

(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.

  begin
    logins = arv.virtual_machine.get_all_logins(limit: 10000, uuid: vm_uuid)[:items]
  rescue
    logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
  end

(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)

  • arvados-dev: I removed the code that builds the (broken) debs from our gems

+1, thanks.

#10 Updated by Ward Vandewege about 4 years ago

Tom Clegg wrote:

Ward Vandewege wrote:

  • arvados: the scope in the doc was wrong (missing /logins at the end)

(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.

Yeah, I think we can throw out that first statement inside the begin.

I used the doc to set up a new shell node. I tried the token without /logins with the old version of the script (from puppet) and it actually failed. Then I double-checked the token for another node, noticed it had /logins at the end, updated my token, and it worked fine.

I just confirmed that with /logins added, we fall into the 'rescue' section of the code.

(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)

Not for this script I think. We do still have one other script in the puppet repo that uses it.

  • arvados-dev: I removed the code that builds the (broken) debs from our gems

+1, thanks.

Cool.

Thanks,
Ward.

#11 Updated by Tom Clegg almost 4 years ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF