Idea #15529
Updated by Peter Amstutz over 4 years ago
https://dev.arvados.org/projects/arvados/wiki/Multi-cluster_user_database Differences from previous "home cluster" design * deterministic user uuid based on upstream identifier * log in anywhere * use token anywhere h2. API When logging in, assign deterministic user uuid with a configured prefix and id based on hash of upstream identifier (email address). Prefix is associated with one of the clusters in the federation. This is the "master" cluster. Login contacts the master cluster to get authoritative copy of user record (such as to know if the user is active). If there is a redirect, it will return a different user uuid. It should use the user uuid that was returned. Login cluster issues its own token for the user. To authenticate the token, contact the cluster that issued the token. It returns the uuid of the user associated with the token. The user uuid may have the federation prefix. Configuration (see below) specifies that API server will trust other servers in the federation for user uuid responses of federation users (which will have a different prefix from the cluster being contacted.) h2. Controller When requesting or updating a user uuid, proxy the request to the master cluster. When sending a request to a remote cluster, if the remote cluster is trusted, don't salt the token. h2. Workbench2 When sending a request to a remote cluster, if the remote cluster is trusted, don't salt the token. h2. Configuration * Specify how to construct the deterministic user uuid (email address or other field from upstream auth) * master cluster * for each other cluster, configure it to accept tokens issued with the master prefix h2. Migration Generate a list of all existing users Generate the deterministic user uuids Migrate existing user accounts (and all their data) to the deterministic user uuid