start_banner = "### BEGIN Arvados-managed keys -- changes between markers will be overwritten\n"
end_banner = "### END Arvados-managed keys -- changes between markers will be overwritten\n"
+actions = {
+ # These names correspond to the names in the cluster Users configuration.
+ # Managing everything was the original behavior.
+ SyncUserAccounts: true,
+ SyncUserGroups: true,
+ SyncUserSSHKeys: true,
+ SyncUserAPITokens: true,
+}
+
keys = ''
begin
logincluster_name = arv.cluster_config['Login']['LoginCluster'] or ''
# Requiring the fuse group was previous hardcoded behavior
minimum_groups = arv.cluster_config['Login']['SyncRequiredGroups'] || ['fuse']
+ actions.each_pair do |key, default|
+ actions[key] = arv.cluster_config['Login'].fetch(key.to_s, default)
+ end
if logincluster_name != '' and logincluster_name != arv.cluster_config['ClusterID']
logincluster_host = arv.cluster_config['RemoteClusters'][logincluster_name]['Host']
username = l[:username]
unless pwnam[l[:username]]
+ unless actions[:SyncUserAccounts]
+ STDERR.puts "User #{username} does not exist and SyncUserAccounts=false. Skipping."
+ next
+ end
STDERR.puts "Creating account #{l[:username]}"
# Create new user
out, st = Open3.capture2e("useradd", "-m",
next
end
- have_groups = current_user_groups[username]
- want_groups = l[:groups] || []
- want_groups |= minimum_groups
- want_groups &= all_groups
-
- (want_groups - have_groups).each do |addgroup|
- # User should be in group, but isn't, so add them.
- STDERR.puts "Add user #{username} to #{addgroup} group"
- out, st = Open3.capture2e("usermod", "-aG", addgroup, username)
- if st.exitstatus != 0
- STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}"
+ if actions[:SyncUserGroups]
+ have_groups = current_user_groups[username]
+ want_groups = l[:groups] || []
+ want_groups |= minimum_groups
+ want_groups &= all_groups
+
+ (want_groups - have_groups).each do |addgroup|
+ # User should be in group, but isn't, so add them.
+ STDERR.puts "Add user #{username} to #{addgroup} group"
+ out, st = Open3.capture2e("usermod", "-aG", addgroup, username)
+ if st.exitstatus != 0
+ STDERR.puts "Failed to add #{username} to #{addgroup} group:\n#{out}"
+ end
end
- end
- (have_groups - want_groups).each do |removegroup|
- # User is in a group, but shouldn't be, so remove them.
- STDERR.puts "Remove user #{username} from #{removegroup} group"
- out, st = Open3.capture2e("gpasswd", "-d", username, removegroup)
- if st.exitstatus != 0
- STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}"
+ (have_groups - want_groups).each do |removegroup|
+ # User is in a group, but shouldn't be, so remove them.
+ STDERR.puts "Remove user #{username} from #{removegroup} group"
+ out, st = Open3.capture2e("gpasswd", "-d", username, removegroup)
+ if st.exitstatus != 0
+ STDERR.puts "Failed to remove user #{username} from #{removegroup} group:\n#{out}"
+ end
end
end
- userdotssh = File.join(homedir, ".ssh")
- ensure_dir(userdotssh, 0700, username, user_gid)
+ if actions[:SyncUserSSHKeys]
+ userdotssh = File.join(homedir, ".ssh")
+ ensure_dir(userdotssh, 0700, username, user_gid)
- newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
+ newkeys = "###\n###\n" + keys[l[:username]].join("\n") + "\n###\n###\n"
- keysfile = File.join(userdotssh, "authorized_keys")
- begin
- oldkeys = File.read(keysfile)
- rescue Errno::ENOENT
- oldkeys = ""
- end
+ keysfile = File.join(userdotssh, "authorized_keys")
+ begin
+ oldkeys = File.read(keysfile)
+ rescue Errno::ENOENT
+ oldkeys = ""
+ end
- if options[:exclusive]
- newkeys = exclusive_banner + newkeys
- elsif oldkeys.start_with?(exclusive_banner)
- newkeys = start_banner + newkeys + end_banner
- elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
- newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
- else
- newkeys = start_banner + newkeys + end_banner + oldkeys
- end
+ if options[:exclusive]
+ newkeys = exclusive_banner + newkeys
+ elsif oldkeys.start_with?(exclusive_banner)
+ newkeys = start_banner + newkeys + end_banner
+ elsif (m = /^(.*?\n|)#{start_banner}(.*?\n|)#{end_banner}(.*)/m.match(oldkeys))
+ newkeys = m[1] + start_banner + newkeys + end_banner + m[3]
+ else
+ newkeys = start_banner + newkeys + end_banner + oldkeys
+ end
- if oldkeys != newkeys then
- File.open(keysfile, 'w', 0600) do |f|
- f.write(newkeys)
+ if oldkeys != newkeys then
+ File.open(keysfile, 'w', 0600) do |f|
+ f.write(newkeys)
+ end
+ FileUtils.chown(username, user_gid, keysfile)
end
- FileUtils.chown(username, user_gid, keysfile)
end
- userdotconfig = File.join(homedir, ".config")
- ensure_dir(userdotconfig, 0755, username, user_gid)
- configarvados = File.join(userdotconfig, "arvados")
- ensure_dir(configarvados, 0700, username, user_gid)
-
- tokenfile = File.join(configarvados, "settings.conf")
-
- begin
- STDERR.puts "Processing #{tokenfile} ..." if debug
- newToken = false
- if File.exist?(tokenfile)
- # check if the token is still valid
- myToken = ENV["ARVADOS_API_TOKEN"]
- userEnv = File.read(tokenfile)
- if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv))
- begin
- tmp_arv = Arvados.new({ :api_host => logincluster_host,
- :api_token => (m[1]),
- :suppress_ssl_warnings => false })
- tmp_arv.user.current
- rescue Arvados::TransactionFailedError => e
- if e.to_s =~ /401 Unauthorized/
- STDERR.puts "Account #{l[:username]} token not valid, creating new token."
- newToken = true
- else
- raise
+ if actions[:SyncUserAPITokens]
+ userdotconfig = File.join(homedir, ".config")
+ ensure_dir(userdotconfig, 0755, username, user_gid)
+ configarvados = File.join(userdotconfig, "arvados")
+ ensure_dir(configarvados, 0700, username, user_gid)
+
+ tokenfile = File.join(configarvados, "settings.conf")
+
+ begin
+ STDERR.puts "Processing #{tokenfile} ..." if debug
+ newToken = false
+ if File.exist?(tokenfile)
+ # check if the token is still valid
+ myToken = ENV["ARVADOS_API_TOKEN"]
+ userEnv = File.read(tokenfile)
+ if (m = /^ARVADOS_API_TOKEN=(.*?\n)/m.match(userEnv))
+ begin
+ tmp_arv = Arvados.new({ :api_host => logincluster_host,
+ :api_token => (m[1]),
+ :suppress_ssl_warnings => false })
+ tmp_arv.user.current
+ rescue Arvados::TransactionFailedError => e
+ if e.to_s =~ /401 Unauthorized/
+ STDERR.puts "Account #{l[:username]} token not valid, creating new token."
+ newToken = true
+ else
+ raise
+ end
end
end
+ elsif !File.exist?(tokenfile) || options[:"rotate-tokens"]
+ STDERR.puts "Account #{l[:username]} token file not found, creating new token."
+ newToken = true
end
- elsif !File.exist?(tokenfile) || options[:"rotate-tokens"]
- STDERR.puts "Account #{l[:username]} token file not found, creating new token."
- newToken = true
- end
- if newToken
- aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
- if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
- aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
- end
- user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
- File.open(tokenfile, 'w', 0600) do |f|
- f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
- f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
+ if newToken
+ aca_params = {owner_uuid: l[:user_uuid], api_client_id: 0}
+ if options[:"token-lifetime"] && options[:"token-lifetime"] > 0
+ aca_params.merge!(expires_at: (Time.now + options[:"token-lifetime"]))
+ end
+ user_token = logincluster_arv.api_client_authorization.create(api_client_authorization: aca_params)
+ File.open(tokenfile, 'w', 0600) do |f|
+ f.write("ARVADOS_API_HOST=#{ENV['ARVADOS_API_HOST']}\n")
+ f.write("ARVADOS_API_TOKEN=v2/#{user_token[:uuid]}/#{user_token[:api_token]}\n")
+ end
+ FileUtils.chown(username, user_gid, tokenfile)
end
- FileUtils.chown(username, user_gid, tokenfile)
+ rescue => e
+ STDERR.puts "Error setting token for #{l[:username]}: #{e}"
end
- rescue => e
- STDERR.puts "Error setting token for #{l[:username]}: #{e}"
end
end