Arvados

Functional requirements: Once the API server is installed, the administrator should be able to run a script or Rake task that writes out the API token on stdout. This API token must be attached to a trusted API client (i.e., it can manipulate other API tokens), and must be owned by the "root" user (i.e., zzzzz-tpzed-000000000000000).

Ideally if a token already exists that meets these criteria, it returns that, to avoid a proliferation of superuser tokens.

This will simplify deployment of new clusters.

Implementation¶

Extend the existing program ./script/create_superuser_token.rb

• Instead of using api_client_id: 0 when creating a new token, find_or_create an ApiClient with url_prefix=="ssh://root@localhost/" and is_trusted==true
• Instead of creating a new token every time, use find_or_create to reuse an existing unexpired token with the relevant api_client_id, if one exists.

Add tests (might require moving the code into lib/create_superuser_token.rb like we did with #6859)

• Call once → get new token whose api_client has is_trusted==true
• Call twice → get the same token twice, not two new ones
• Call once, expire the returned token, call again → get a new unexpired token

Preserve existing behavior

• If a token is supplied on the command line, and it isn't a valid token, use that string as the new api_token when creating the new ApiClientAuthorization
• If a token is supplied on the command line, and it is a valid token, just print it: don't create a new token, don't create an ApiClient record, don't update the api_client_id of the existing token.