2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: Apache-2.0
15 parser = argparse.ArgumentParser(description='Migrate users to federated identity, see https://doc.arvados.org/admin/???')
16 parser.add_argument('--tokens', type=str, required=True)
17 group = parser.add_mutually_exclusive_group(required=True)
18 group.add_argument('--report', type=str)
19 group.add_argument('--migrate', type=str)
20 args = parser.parse_args()
24 print("Reading %s" % args.tokens)
25 with open(args.tokens, "rt") as f:
26 for r in csv.reader(f):
29 arv = arvados.api(host=host, token=token)
30 clusters[arv._rootDesc["uuidPrefix"]] = arv
31 cur = arv.users().current().execute()
32 if not cur["is_admin"]:
33 raise Exception("Not admin of %s" % host)
37 for c, arv in clusters.items():
38 print("Getting user list from %s" % c)
39 ul = arvados.util.list_all(arv.users().list)
41 if l["uuid"].startswith(c):
44 out = csv.writer(open(args.report, "wt"))
46 out.writerow(("email", "user uuid", "primary cluster/user"))
48 users = sorted(users, key=lambda u: u["email"]+"::"+u["uuid"])
53 if u["uuid"].endswith("-anonymouspublic") or u["uuid"].endswith("-000000000000000"):
56 lastemail = u["email"]
57 if u["email"] == lastemail:
64 if a["uuid"] != homeuuid:
67 out.writerow((a["email"], a["uuid"], homeuuid[0:5]))
68 lastemail = u["email"]
75 if a["uuid"] != homeuuid:
78 out.writerow((a["email"], a["uuid"], homeuuid[0:5]))
80 print("Wrote %s" % args.report)
85 with open(args.migrate, "rt") as f:
86 for r in csv.reader(f):
89 by_email.setdefault(r[0], [])
90 by_email[r[0]].append(r)
94 print("(%s) Skipping %s, no home cluster specified" % (r[0], r[1]))
95 if r[1].startswith(r[2]):
98 for b in by_email[r[0]]:
99 if b[1].startswith(r[2]):
101 if len(candidates) == 0:
102 print("(%s) No user listed to migrate %s to %s" % (r[0], r[1], r[2]))
104 if len(candidates) > 1:
105 print("(%s) Multiple users listed to migrate %s to %s, use full uuid" % (r[0], r[1], r[2]))
107 new_user_uuid = candidates[0][1]
108 print("(%s) Migrating %s to %s" % (r[0], r[1], new_user_uuid))
109 oldcluster = r[1][0:5]
110 newhomecluster = r[2][0:5]
111 homearv = clusters[newhomecluster]
113 newtok = homearv.api_client_authorizations().create(body={"api_client_authorization": {'owner_uuid': new_user_uuid}}).execute()
114 salted = 'v2/' + newtok["uuid"] + '/' + hmac.new(newtok["api_token"].encode(), msg=oldcluster.encode(), digestmod='sha1').hexdigest()
115 arvados.api(host=arv._rootDesc["rootUrl"][8:-1], token=salted).users().current().execute()
117 # now migrate from local user to remote user.
118 arv = clusters[oldcluster]
120 grp = arv.groups().create(body={
121 "owner_uuid": new_user_uuid,
122 "name": "Migrated from %s (%s)" % (r[0], r[1]),
123 "group_class": "project"
124 }, ensure_unique_name=True).execute()
125 arv.users().merge(old_user_uuid=r[1],
126 new_user_uuid=new_user_uuid,
127 new_owner_uuid=grp["uuid"],
128 redirect_to_new_user=True).execute()
130 if __name__ == "__main__":