Feature #15531

Updated by Peter Amstutz 9 months ago

Update federation_migrate.py

h2. Migrate to federated

Mass user migration to centralized new federated user uuids.

# Generate a list of all existing users across clusters with --migrate-to flag (this fills in the "home" column for every user)
# Generate deterministic user uuids
#
Produce report listing each email address, existing old user uuid, the cluster that the and new deterministic user will be migrated to uuid
# Admin reviews report
# Report is fed back in
# If no local
in, merge each old user exists for a home cluster, create a to new deterministic user with the email address uuid on each cluster
# Use existing user merge feature to redirect all the old each user accounts account (and reassign all their data) to the deterministic user on the home cluster. uuid

Note: API server needs to allow migrating objects owned by remote users to clusterwide federated user, and make the old remote user disappear (currently migrating remote accounts is not supported) (this was specifically requested by the customer).

If the deterministic user uuid is based on something other than the email address (or something else in the user record) we won't be able to generate correct ones.

h2. User redirect

For case where user email address changes, so that logging in yields a new deterministic uuid.

Add migration tool option that accepts two email addresses. Generate deterministic uuid for each email address, then make merge API call to direct new user uuid to existing user on each cluster.

h2. User ownership reassign

For case where a user leaves the organization and her stuff needs to be given to someone else.

Similar to user redirect, this mode accepts two email addresses. Generate deterministic uuid for each email address. Make merge API call to assign ownership of departing user's stuff to new user on each cluster.

Note: also needs API server support, must permit redirect_to_user_uuid is nil, in which case ApiClientAuthorization (API tokens) and AuthorizedKey (ssh keys) are not migrated, because the user that left may have lingering credentials and shouldn't gain access to other account.

h2. Workbench2 ?

User redirect and user reassign could also be implemented as admin tools on Workbench 2.

Back