When using multiple Arvados clusters, prior to federation capabilities described here, a user would have to create a separate account on each cluster. Unfortunately, because each account represents a separate "identity", in this system permissions granted to a user on one cluster do not transfer to another cluster, even if the accounts are associated with the same user.
-To address this, Arvados supports "federated user accounts". A federated user account is associated with a specific "home" cluster, and can be used access other clusters in the federation that trust the home cluster. When a user arrives at another cluster's Workbench, they select and log in to their home cluster, and then are returned to the starting cluster logged in with the federated user account.
+To address this, Arvados supports "federated user accounts". A federated user account is associated with a specific "home" cluster, and can be used to access other clusters in the federation that trust the home cluster. When a user arrives at another cluster's Workbench, they select and log in to their home cluster, and then are returned to the starting cluster logged in with the federated user account.
When setting up federation capabilities on existing clusters, some users might already have accounts on multiple clusters. In order to have a single federated identity, users should be assigned a "home" cluster, and accounts associated with that user on the other (non-home) clusters should be migrated to the new federated user account. The @arv-federation-migrate@ tool assists with this.
person_b@example.com,x6b1s-tpzed-w4nhkx2rmrhlr54,
</pre>
-The third column describes that user's home cluster. If a user only has one account (identified by email address), the column will be filled in and there is nothing to do. If the column is blank, that means there is more than one Arvados account associated with the user. Edit the file and provide the desired home cluster for each user. In this example, @person_b@example.com@ is assigned the home cluster @x3982@.
+The third column describes that user's home cluster. If a user only has one account (identified by email address), the column will be filled in and there is nothing to do. If the column is blank, that means there is more than one Arvados account associated with the user. Edit the file and provide the desired home cluster for each user. In this example, <code>person_b@example.com</code> is assigned the home cluster @x3982@.
_users.csv_
def main():
- parser = argparse.ArgumentParser(description='Migrate users to federated identity, see https://doc.arvados.org/admin/???')
+ parser = argparse.ArgumentParser(description='Migrate users to federated identity, see https://doc.arvados.org/admin/merge-remote-account.html')
parser.add_argument('--tokens', type=str, required=True)
group = parser.add_mutually_exclusive_group(required=True)
- group.add_argument('--report', type=str)
- group.add_argument('--migrate', type=str)
+ group.add_argument('--report', type=str, help="Generate report .csv file listing users by email address and their associated Arvados accounts")
+ group.add_argument('--migrate', type=str, help="Consume report .csv and migrate users to designated Arvados accounts")
+ group.add_argument('--check', action="store_true", help="Check that tokens are usable and the federation is well connected")
args = parser.parse_args()
clusters = {}
for r in csv.reader(f):
host = r[0]
token = r[1]
+ print("Contacting %s" % (host))
arv = arvados.api(host=host, token=token)
clusters[arv._rootDesc["uuidPrefix"]] = arv
cur = arv.users().current().execute()
if not cur["is_admin"]:
raise Exception("Not admin of %s" % host)
+ print("Checking that the federation is well connected")
+ fail = False
+ for v in clusters.values():
+ for r in clusters:
+ if r != v._rootDesc["uuidPrefix"] and r not in v._rootDesc["remoteHosts"]:
+ print("%s is missing from remoteHosts on %s" % (r, v._rootDesc["uuidPrefix"]))
+ fail = True
+
+ if fail:
+ exit(1)
+
+ if args.check:
+ exit(0)
+
if args.report:
users = []
for c, arv in clusters.items():
projects / arvados.git / commitdiff