From 07440bacc85564c7e2e03008336d395480333ff7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Wed, 30 Mar 2022 21:15:29 -0300 Subject: [PATCH] 18631: use SystemRootToken for login-sync MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../aws/states/shell_cron_add_login_sync.sls | 34 +++---------------- .../states/shell_cron_add_login_sync.sls | 34 +++---------------- 2 files changed, 8 insertions(+), 60 deletions(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls b/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls index 70fbe5a62a..1f33ca69b7 100644 --- a/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls +++ b/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls @@ -4,8 +4,8 @@ # This state tries to query the controller using the parameters set in # the `arvados.cluster.resources.virtual_machines` pillar, to get the -# scoped_token for the host and configure the arvados login-sync cron -# as described in https://doc.arvados.org/v2.0/install/install-shell-server.html +# ARVADOS_VIRTUAL_MACHINE_UUID for the host and configure the arvados login-sync cron +# as described in https://doc.arvados.org/main/install/install-shell-server.html {%- set curr_tpldir = tpldir %} {%- set tpldir = 'arvados' %} @@ -35,15 +35,11 @@ extra_shell_cron_add_login_sync_add_jq_pkg_installed: vm_params.backend in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] + grains['ipv4'] + grains['ipv6'] %} + # We need to query the VM UUID {%- set cmd_query_vm_uuid = 'arv --short virtual_machine list' ~ ' --filters \'[["hostname", "=", "' ~ vm_name ~ '"]]\'' %} -# We need to use the UUID generated in the previous command to see if there's a -# scoped token for it. There's no easy way to pass the value from a shellout -# to another state, so we store it in a temp file and use that in the next -# command. Flaky, mostly because the `unless` clause is just checking that -# the file content is a token uuid :| extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: cmd.run: - env: @@ -56,28 +52,6 @@ extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: - unless: - /bin/grep -qE "[a-z0-9]{5}-2x53u-[a-z0-9]{15}" /tmp/vm_uuid_{{ vm }} - # There's no direct way to query the scoped_token for a given virtual_machine - # so we need to parse the api_client_authorization list through some jq - {%- set cmd_query_scoped_token_url = 'VM_UUID=$(cat /tmp/vm_uuid_' ~ vm ~ ') && ' ~ - 'arv api_client_authorization list | ' ~ - '/usr/bin/jq -e \'.items[]| select(.scopes[] == "GET ' ~ - '/arvados/v1/virtual_machines/\'${VM_UUID}\'/logins") | ' ~ - '.api_token\' | head -1 | tee /tmp/scoped_token_' ~ vm ~ ' && ' ~ - 'unset VM_UUID' - %} - -extra_shell_cron_add_login_sync_add_{{ vm }}_get_scoped_token_cmd_run: - cmd.run: - - env: - - ARVADOS_API_TOKEN: {{ api_token }} - - ARVADOS_API_HOST: {{ api_host }} - - ARVADOS_API_HOST_INSECURE: {{ arvados.cluster.tls.insecure | default(false) }} - - name: {{ cmd_query_scoped_token_url }} - - require: - - cmd: extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run - - unless: - - test -s /tmp/scoped_token_{{ vm }} - extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: cron.env_present: - name: ARVADOS_API_HOST @@ -86,7 +60,7 @@ extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_token_cron_env_present: cron.env_present: - name: ARVADOS_API_TOKEN - - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + - value: {{ api_token }} extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_insecure_cron_env_present: cron.env_present: diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls index 70fbe5a62a..1f33ca69b7 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls @@ -4,8 +4,8 @@ # This state tries to query the controller using the parameters set in # the `arvados.cluster.resources.virtual_machines` pillar, to get the -# scoped_token for the host and configure the arvados login-sync cron -# as described in https://doc.arvados.org/v2.0/install/install-shell-server.html +# ARVADOS_VIRTUAL_MACHINE_UUID for the host and configure the arvados login-sync cron +# as described in https://doc.arvados.org/main/install/install-shell-server.html {%- set curr_tpldir = tpldir %} {%- set tpldir = 'arvados' %} @@ -35,15 +35,11 @@ extra_shell_cron_add_login_sync_add_jq_pkg_installed: vm_params.backend in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] + grains['ipv4'] + grains['ipv6'] %} + # We need to query the VM UUID {%- set cmd_query_vm_uuid = 'arv --short virtual_machine list' ~ ' --filters \'[["hostname", "=", "' ~ vm_name ~ '"]]\'' %} -# We need to use the UUID generated in the previous command to see if there's a -# scoped token for it. There's no easy way to pass the value from a shellout -# to another state, so we store it in a temp file and use that in the next -# command. Flaky, mostly because the `unless` clause is just checking that -# the file content is a token uuid :| extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: cmd.run: - env: @@ -56,28 +52,6 @@ extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: - unless: - /bin/grep -qE "[a-z0-9]{5}-2x53u-[a-z0-9]{15}" /tmp/vm_uuid_{{ vm }} - # There's no direct way to query the scoped_token for a given virtual_machine - # so we need to parse the api_client_authorization list through some jq - {%- set cmd_query_scoped_token_url = 'VM_UUID=$(cat /tmp/vm_uuid_' ~ vm ~ ') && ' ~ - 'arv api_client_authorization list | ' ~ - '/usr/bin/jq -e \'.items[]| select(.scopes[] == "GET ' ~ - '/arvados/v1/virtual_machines/\'${VM_UUID}\'/logins") | ' ~ - '.api_token\' | head -1 | tee /tmp/scoped_token_' ~ vm ~ ' && ' ~ - 'unset VM_UUID' - %} - -extra_shell_cron_add_login_sync_add_{{ vm }}_get_scoped_token_cmd_run: - cmd.run: - - env: - - ARVADOS_API_TOKEN: {{ api_token }} - - ARVADOS_API_HOST: {{ api_host }} - - ARVADOS_API_HOST_INSECURE: {{ arvados.cluster.tls.insecure | default(false) }} - - name: {{ cmd_query_scoped_token_url }} - - require: - - cmd: extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run - - unless: - - test -s /tmp/scoped_token_{{ vm }} - extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: cron.env_present: - name: ARVADOS_API_HOST @@ -86,7 +60,7 @@ extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_token_cron_env_present: cron.env_present: - name: ARVADOS_API_TOKEN - - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + - value: {{ api_token }} extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_insecure_cron_env_present: cron.env_present: -- 2.30.2