Idea #7534
Updated by Brett Smith over 8 years ago
Functional requirements: Once the API server is installed, the administrator should be able to run a script or Rake task that writes out the API token on stdout. This API token must be attached to a trusted API client (i.e., it can manipulate other API tokens), and must be owned by the "root" user (i.e., zzzzz-tpzed-000000000000000).
Ideally if a token already exists that meets these criteria, it returns that, to avoid a proliferation of superuser tokens.
This will simplify deployment of new clusters.
h2. Implementation
h3. Implementation
Extend the existing program @./script/create_superuser_token.rb@
* Instead of using @api_client_id: 0@ when creating a new token, find_or_create an ApiClient with @url_prefix=="ssh://root@localhost/"@ and @is_trusted==true@
* Instead of creating a new token every time, use find_or_create to reuse an existing unexpired token with the relevant @api_client_id@, if one exists.
Add tests (might require moving the code into @lib/create_superuser_token.rb@ like we did with #6859)
* Call once → get new token whose api_client has @is_trusted==true@
* Call twice → get the same token twice, not two new ones
* Call once, expire the returned token, call again → get a new unexpired token
Preserve existing behavior
* If a token is supplied on the command line, and it _isn't_ a valid token, use that string as the new api_token when creating the new ApiClientAuthorization
* If a token is supplied on the command line, and it _is_ a valid token, just print it: don't create a new token, don't create an ApiClient record, don't update the @api_client_id@ of the existing token.