Story #6781
closed
[Documentation] Document user shell account creation script
100%
Description
Our shell servers run a regular cron job to add Unix user accounts for users who have permission to log in to the corresponding Arvados VirtualMachine record. Currently this setup is undocumented and the script does not ship with Arvados.
To fix:- Create a gem in services/arvados-login-sync/ containing a
bin/arvados-login-syncexecutable (see http://guides.rubygems.org/make-your-own-gem/#adding-an-executable) that is a small wrapper around some easy-to-test code inlib/arvados/login_sync.rb - Add both Gemfile and Gemfile.lock to git because this is an application, not a library.
- Add tests in test/test_arvados-login_sync.rb -- maybe poor coverage for now, but at least something so the usual "bundle exec rake test" can succeed in jenkins.
- Add services/arvados-login_sync to run-tests.sh.
- Add arvados-login-sync to the "build packages" scripts in arvados-dev.
- Add documentation about installing the resulting deb/rpm package, and configuring it to run in cron, to the shell server installation documentation.
- gem install arvados-login_sync
- apt-get install arvados-login-sync
- For an initial implementation the login-sync program should get its API token from the usual environment variable. The cron job's command line can set this up either by including a literal token or by loading it from a config file with "read" or "source".
Ideally the deb and rpm packages will install/remove the cron job automatically when installing/removing the package, but this story already includes enough new packaging skills without that.
Refs
Updated by Brett Smith over 9 years ago
- Description updated (diff)
- Category set to Documentation
Updated by Ward Vandewege over 9 years ago
I reviewed both branches and pushed a commit to each of them:
- arvados: the scope in the doc was wrong (missing /logins at the end)
- arvados-dev: I removed the code that builds the (broken) debs from our gems
LGTM with those patches added.
Updated by Radhika Chippada over 9 years ago
- Target version changed from 2015-08-19 sprint to 2015-09-02 sprint
Moving to sprint 2015-09-02 so that Tom can readdress it when he is back from his break. Leaving the story point assignment as is for now.
Updated by Tom Clegg over 9 years ago
Ward Vandewege wrote:
- arvados: the scope in the doc was wrong (missing /logins at the end)
(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.
begin
logins = arv.virtual_machine.get_all_logins(limit: 10000, uuid: vm_uuid)[:items]
rescue
logins = arv.virtual_machine.logins(:uuid => vm_uuid)[:items]
end
(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)
- arvados-dev: I removed the code that builds the (broken) debs from our gems
+1, thanks.
Updated by Ward Vandewege over 9 years ago
Tom Clegg wrote:
Ward Vandewege wrote:
- arvados: the scope in the doc was wrong (missing /logins at the end)
(By "wrong" you mean "not as restrictive as it could be", right?) Does this mean the first part of the following code exists only for compatibility with APIs older than July 2013 (see 5fcebaf9) and should be removed? With the more restrictive scope, the first part will always throw an error, which should be harmless when the second part works, but confuse the troubleshooting adventure when it doesn't.
Yeah, I think we can throw out that first statement inside the begin.
I used the doc to set up a new shell node. I tried the token without /logins with the old version of the script (from puppet) and it actually failed. Then I double-checked the token for another node, noticed it had /logins at the end, updated my token, and it worked fine.
I just confirmed that with /logins added, we fall into the 'rescue' section of the code.
(If "get_all_logins" is still needed for some reason we can add it to the scopes list.)
Not for this script I think. We do still have one other script in the puppet repo that uses it.
- arvados-dev: I removed the code that builds the (broken) debs from our gems
+1, thanks.
Cool.
Thanks,
Ward.
Updated by Tom Clegg over 9 years ago
- Status changed from In Progress to Resolved