Idea #6781
closed
[Documentation] Document user shell account creation script
Added by Brett Smith over 9 years ago.
Updated over 9 years ago.
Description
Our shell servers run a regular cron job to add Unix user accounts for users who have permission to log in to the corresponding Arvados VirtualMachine record. Currently this setup is undocumented and the script does not ship with Arvados.
To fix:
- Create a gem in services/arvados-login-sync/ containing a
bin/arvados-login-sync executable (see http://guides.rubygems.org/make-your-own-gem/#adding-an-executable) that is a small wrapper around some easy-to-test code in lib/arvados/login_sync.rb
- Add both Gemfile and Gemfile.lock to git because this is an application, not a library.
- Add tests in test/test_arvados-login_sync.rb -- maybe poor coverage for now, but at least something so the usual "bundle exec rake test" can succeed in jenkins.
- Add services/arvados-login_sync to run-tests.sh.
- Add arvados-login-sync to the "build packages" scripts in arvados-dev.
- Add documentation about installing the resulting deb/rpm package, and configuring it to run in cron, to the shell server installation documentation.
This should leave us with two standard options for installing the sync program:
- gem install arvados-login_sync
- apt-get install arvados-login-sync
Configuration:
- For an initial implementation the login-sync program should get its API token from the usual environment variable. The cron job's command line can set this up either by including a literal token or by loading it from a config file with "read" or "source".
Ideally the deb and rpm packages will install/remove the cron job automatically when installing/removing the package, but this story already includes enough new packaging skills without that.
Refs
- Description updated (diff)
- Category set to Documentation
- Description updated (diff)
- Description updated (diff)
- Description updated (diff)
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
I reviewed both branches and pushed a commit to each of them:
- arvados: the scope in the doc was wrong (missing /logins at the end)
- arvados-dev: I removed the code that builds the (broken) debs from our gems
LGTM with those patches added.
- Target version changed from 2015-08-19 sprint to 2015-09-02 sprint
Moving to sprint 2015-09-02 so that Tom can readdress it when he is back from his break. Leaving the story point assignment as is for now.
Ward Vandewege wrote:
- arvados: the scope in the doc was wrong (missing /logins at the end)
(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.
begin
logins = arv.virtual_machine.get_all_logins(limit: 10000, uuid: vm_uuid)[:items]
rescue
logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
end
(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)
- arvados-dev: I removed the code that builds the (broken) debs from our gems
+1, thanks.
Tom Clegg wrote:
Ward Vandewege wrote:
- arvados: the scope in the doc was wrong (missing /logins at the end)
(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.
Yeah, I think we can throw out that first statement inside the begin.
I used the doc to set up a new shell node. I tried the token without /logins with the old version of the script (from puppet) and it actually failed. Then I double-checked the token for another node, noticed it had /logins at the end, updated my token, and it worked fine.
I just confirmed that with /logins added, we fall into the 'rescue' section of the code.
(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)
Not for this script I think. We do still have one other script in the puppet repo that uses it.
- arvados-dev: I removed the code that builds the (broken) debs from our gems
+1, thanks.
Cool.
Thanks,
Ward.
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Radhika Chippada