Project

General

Profile

Actions

Feature #12626

closed

[API] Merge user accounts (redirect=true case)

Added by Peter Amstutz about 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
05/03/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
3.0
Release:
Release relationship:
Auto

Description

New API endpoint: POST /arvados/v1/users/merge
  • Authorization header has valid API token for the "old" account
  • new_user_token (post form param in request body) has valid API token for the "new" account
  • new_owner_uuid (post form param in request body) has either new user's UUID, or a group UUID writable by the new user
  • redirect_to_new_user=true (optional)
Security checks
  • Current token ("old account") has scopes=["all"]
  • new_user_token ("new account") has scopes=["all"]
  • API logs show the UUID of the corresponding api_client_auth record instead of merge_into_token
Actions
  • Move all records (groups, links, collections, jobs, pipelines, container requests, etc) owned by the old user into new_owner_uuid (this is typically a new empty project or a new user who doesn't own anything, so name conflicts would be a surprise/error)
  • Update links set tail_uuid=new_user_uuid where tail_uuid=old_user_uuid
Additional actions if redirect_to_new_user=true
  • Set old user's redirect_to_user_uuid field to the new user's UUID
  • Move old user's SSH keys to the new user
  • Ensure API tokens associated with old user will give access to the new account.
  • Update links with head_uuid = old user to point to new user
...if redirect_to_new_user=false
  • Leave old user's redirect_to_user_uuid field alone
  • Delete old user's SSH keys
  • Leave old user's API tokens alone
  • Leave links with head_uuid = old user alone.

This is all done in a transaction: if anything fails, the entire operation is cancelled.

Implementation
  • New column (users.redirect_to_user_uuid) is needed.
  • #12995 and #12703 are blocked only by the redirect_to_new_user=true case.

Subtasks 1 (0 open1 closed)

Task #13397: Review 12626-merge-accountsResolvedPeter Amstutz05/03/2018

Actions

Related issues 5 (0 open5 closed)

Related to Arvados - Feature #4637: [SSO] Use "authentications" table and support account linkingRejectedPeter Amstutz11/06/2017

Actions
Related to Arvados - Story #12702: Migrate user accountsResolvedTom Clegg01/05/2018

Actions
Related to Arvados - Bug #13368: [API] Add "authorizations" tableClosed

Actions
Blocks Arvados - Story #12703: [Workbench] Self serve account mergeResolved

Actions
Blocks Arvados - Story #12995: [Workbench] Allow user to add a new Google account to their Arvados accountResolvedPeter Amstutz05/17/2018

Actions
Actions

Also available in: Atom PDF