Feature #11153

Updated by Tom Clegg about 4 years ago

h3. Background

Currently the install guide relies on the @script/create_superuser_token.rb@ program in the apiserver package to generate superuser tokens for services like keep-balance and crunch-dispatch-slurm.

This program has some shortcomings:
* There is no way to specify scopes to limit token powers. Both keep-balance and crunch-dispatch-slurm should be using scoped tokens (e.g., they shouldn't be able to delete collections or create users).
* There is no way to attach a comment to a token, e.g., to note its intended use.

h3. Proposed solution

Add a @comment@ text column to the api_client_authorizations table and ApiClientAuthorization API responses.

Create a new script @script/create_token.rb@ that takes options
* @--user=zzzzz-tpzed-000000000000000@ to specify uuid of target user (default = root)
* @--role=keep-balance@ to set scopes suitable for keep-balance (see "data manager token" example in source:services/api/test/fixtures/api_client_authorizations.yml)
* @--role=crunch-dispatch@ to set scopes suitable for crunch-dispatch (details TBD?)
* @--comment="unparsed text"@ to set comment
* @--reuse@ to reuse an existing unexpired token with the specified user/scopes/comment, if one exists (if not, create a new one)
* @--token=string@ to specify the new token (if the given token already exists, confirm that it matches the specified scopes/comment/user)
* (future?) @--expires-at=timestamp@ to set expiry time

The existing @script/create_superuser_token.rb@ program should continue to work, using the new generic code under the hood (IOW it follows the same code path as @script/create_token.rb --reuse [--token=X]@)

Update install docs accordingly.

Back