Arvados

Here's what I think we want to do:

1. extend arvados-login-sync to include creating/installing tokens
2. remove arvados-login-sync from the shell node cron
3. add to API server cron
   1. ssh as root to each shell node (is in authorized_keys)
   2. set a root token in the environment
   3. run arvados-login-sync

In the future, the job of kicking off arvados-login-sync can be done in response to changes in VM permissions instead of from cron.

16803-shell-sync-tokens @ 71c57454fc3adf2d63db8b3cb1d0e8ecdff5c93f

Needs documentation update.

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

developer-run-tests: #2067

• Create tokens
• Update documentation
• Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.

Peter Amstutz wrote:

16803-shell-sync-tokens @ 6ed2e2c51fe463bfcf1b484d764af5bf47d416ad

developer-run-tests: #2067

• Create tokens
• Update documentation
• Documentation better covers security implications of single-user vs multi-user shell nodes and what to do about it.

services/login-sync/bin/arvados-login-sync:

• Move

  FileUtils.chown_R(l[:username], nil, userdotconfig)
  File.chmod(0700, userdotconfig)

to the end of the logins.each loop, where all the other chown/chmods are. That way the .config directory will always have the right permissions, even if it already existed, and it also ensures that configarvados and anything under it have the right permissions.

Similarly, it would be better if

File.chmod(0600, tokenfile)

was run every time, not only when the script creates the file.

Otherwise, LGTM, thanks!