Project

General

Profile

Actions

Idea #6781

closed

[Documentation] Document user shell account creation script

Added by Brett Smith over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Documentation
Target version:
Story points:
1.0

Description

Our shell servers run a regular cron job to add Unix user accounts for users who have permission to log in to the corresponding Arvados VirtualMachine record. Currently this setup is undocumented and the script does not ship with Arvados.

To fix:
  • Create a gem in services/arvados-login-sync/ containing a bin/arvados-login-sync executable (see http://guides.rubygems.org/make-your-own-gem/#adding-an-executable) that is a small wrapper around some easy-to-test code in lib/arvados/login_sync.rb
  • Add both Gemfile and Gemfile.lock to git because this is an application, not a library.
  • Add tests in test/test_arvados-login_sync.rb -- maybe poor coverage for now, but at least something so the usual "bundle exec rake test" can succeed in jenkins.
  • Add services/arvados-login_sync to run-tests.sh.
  • Add arvados-login-sync to the "build packages" scripts in arvados-dev.
  • Add documentation about installing the resulting deb/rpm package, and configuring it to run in cron, to the shell server installation documentation.
This should leave us with two standard options for installing the sync program:
  • gem install arvados-login_sync
  • apt-get install arvados-login-sync
Configuration:
  • For an initial implementation the login-sync program should get its API token from the usual environment variable. The cron job's command line can set this up either by including a literal token or by loading it from a config file with "read" or "source".

Ideally the deb and rpm packages will install/remove the cron job automatically when installing/removing the package, but this story already includes enough new packaging skills without that.

Refs

Subtasks 6 (0 open6 closed)

Task #6899: Modify sync script to use env vars instead of yamlResolvedTom Clegg08/14/2015Actions
Task #6902: Build and publish deb and rpmResolvedTom Clegg08/14/2015Actions
Task #6900: Build and publish gemResolvedTom Clegg08/13/2015Actions
Task #6901: Add testsResolvedTom Clegg08/13/2015Actions
Task #6985: Add to "shell server" install doc pageResolvedTom Clegg08/13/2015Actions
Task #6897: Review 6781-arvados-login-sync (on arvados-dev and arvados)ResolvedTom Clegg08/19/2015Actions
Actions #1

Updated by Brett Smith over 8 years ago

  • Description updated (diff)
  • Category set to Documentation
Actions #2

Updated by Tom Clegg over 8 years ago

  • Description updated (diff)
Actions #3

Updated by Tom Clegg over 8 years ago

  • Description updated (diff)
Actions #4

Updated by Tom Clegg over 8 years ago

  • Description updated (diff)
Actions #5

Updated by Tom Clegg over 8 years ago

  • Assigned To set to Tom Clegg
Actions #6

Updated by Tom Clegg over 8 years ago

  • Status changed from New to In Progress
Actions #7

Updated by Ward Vandewege over 8 years ago

I reviewed both branches and pushed a commit to each of them:

  • arvados: the scope in the doc was wrong (missing /logins at the end)
  • arvados-dev: I removed the code that builds the (broken) debs from our gems

LGTM with those patches added.

Actions #8

Updated by Radhika Chippada over 8 years ago

  • Target version changed from 2015-08-19 sprint to 2015-09-02 sprint

Moving to sprint 2015-09-02 so that Tom can readdress it when he is back from his break. Leaving the story point assignment as is for now.

Actions #9

Updated by Tom Clegg over 8 years ago

Ward Vandewege wrote:

  • arvados: the scope in the doc was wrong (missing /logins at the end)

(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.

  begin
    logins = arv.virtual_machine.get_all_logins(limit: 10000, uuid: vm_uuid)[:items]
  rescue
    logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
  end

(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)

  • arvados-dev: I removed the code that builds the (broken) debs from our gems

+1, thanks.

Actions #10

Updated by Ward Vandewege over 8 years ago

Tom Clegg wrote:

Ward Vandewege wrote:

  • arvados: the scope in the doc was wrong (missing /logins at the end)

(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.

Yeah, I think we can throw out that first statement inside the begin.

I used the doc to set up a new shell node. I tried the token without /logins with the old version of the script (from puppet) and it actually failed. Then I double-checked the token for another node, noticed it had /logins at the end, updated my token, and it worked fine.

I just confirmed that with /logins added, we fall into the 'rescue' section of the code.

(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)

Not for this script I think. We do still have one other script in the puppet repo that uses it.

  • arvados-dev: I removed the code that builds the (broken) debs from our gems

+1, thanks.

Cool.

Thanks,
Ward.

Actions #11

Updated by Tom Clegg over 8 years ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF