From 6d67bbfdfc00a7a280f2d08e64b6198c5e4cba90 Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Tue, 8 Oct 2019 15:16:47 -0400 Subject: [PATCH] 15531: Fixing up test framework Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- doc/admin/federation.html.textile.liquid | 8 +++- .../federation/arvbox-make-federation.cwl | 10 ++++ .../tests/federation/arvbox/fed-config.cwl | 9 ++-- sdk/cwl/tests/federation/arvbox/start.cwl | 9 ++-- .../arvados/commands/federation_migrate.py | 11 ++++- .../fed-migrate/arvbox-make-federation.cwl | 5 +- sdk/python/tests/fed-migrate/fed-migrate.cwl | 46 ++++++++++++++++--- .../tests/fed-migrate/fed-migrate.cwlex | 23 +++++++--- sdk/python/tests/fed-migrate/run-test.cwlex | 3 +- tools/arvbox/bin/arvbox | 2 + 10 files changed, 100 insertions(+), 26 deletions(-) diff --git a/doc/admin/federation.html.textile.liquid b/doc/admin/federation.html.textile.liquid index 85258955b6..b1f1506e4c 100644 --- a/doc/admin/federation.html.textile.liquid +++ b/doc/admin/federation.html.textile.liquid @@ -44,7 +44,7 @@ A federation of clusters can be configured to use a separate user database per c If clusters belong to separate organizations, each cluster will have its own user database for the members of that organization. Through federation, a user from one organization can be granted access to the cluster of another organization. The admin of the seond cluster controls access on a individual basis by choosing to activate or deactivate accounts from other organizations (with the default policy the value of @ActivateUsers@). -On the other hand, if all clusters belong to the same organization, and users in that organization should have access to all the clusters, user management can be simplified by setting the @LoginCluster@ which manages the user database used by all other clusters in the federation. The @LoginCluster@ configuration should be set for all clusters in the federation to the id of one cluster in the federation which will be the 'master cluster'. This directs all logins to the LoginCluster, and the LoginCluster will issue API tokens which are valid on any cluster in the federation. Users are activated or deactivated across the entire federation based on their status on the master cluster. +On the other hand, if all clusters belong to the same organization, and users in that organization should have access to all the clusters, user management can be simplified by setting the @LoginCluster@ which manages the user database used by all other clusters in the federation. To do this, choose one cluster in the federation which will be the 'login cluster'. Set the the @Login.LoginCluster@ configuration value on all clusters in the federation to the cluster id of the login cluster. After setting @LoginCluster@, restart arvados-api-server and arvados-controller. 
 Clusters:
@@ -53,7 +53,11 @@ Clusters:
       LoginCluster: clsr1
-To migrate users of an existing federation with separate user databases to use a single LoginCluster, use "arv-federation-migrate":merge-remote-account.html . +The @LoginCluster@ configuration redirects all user logins to the LoginCluster, and the LoginCluster will issue API tokens which are valid on any cluster in the federation. Users are activated or deactivated across the entire federation based on their status on the master cluster. + +Note: tokens issued by the master cluster need to be periodically re-validated when used on other clusters in the federation. The period between revalidation attempts is configured with @Login.RemoteTokenRefresh@. The default is 5 minutes. A longer period reduces overhead from validating tokens, but means it will take longer for other clusters to notice when a token has been revoked or a user has changed status (being activated/deactivated, admin flag changed). + +To migrate users of existing clusters with separate user databases to use a single LoginCluster, use "arv-federation-migrate":merge-remote-account.html . h2. Testing diff --git a/sdk/cwl/tests/federation/arvbox-make-federation.cwl b/sdk/cwl/tests/federation/arvbox-make-federation.cwl index 341ce1228d..81b542057c 100644 --- a/sdk/cwl/tests/federation/arvbox-make-federation.cwl +++ b/sdk/cwl/tests/federation/arvbox-make-federation.cwl @@ -22,6 +22,11 @@ inputs: insecure: type: boolean default: true + arvbox: + type: File + default: + class: File + location: ../../../../tools/arvbox/bin/arvbox outputs: arvados_api_token: type: string @@ -44,6 +49,9 @@ outputs: arvbox_containers: type: string[] outputSource: containers + arvbox_bin: + type: File + outputSource: arvbox steps: mkdir: in: @@ -55,6 +63,7 @@ steps: in: container_name: containers arvbox_data: mkdir/arvbox_data + arvbox_bin: arvbox out: [cluster_id, container_host, arvbox_data_out, superuser_token] scatter: [container_name, arvbox_data] scatterMethod: dotproduct @@ -66,6 +75,7 @@ steps: cluster_ids: start/cluster_id cluster_hosts: start/container_host arvbox_data: start/arvbox_data_out + arvbox_bin: arvbox out: [] scatter: [container_name, this_cluster_id, arvbox_data] scatterMethod: dotproduct diff --git a/sdk/cwl/tests/federation/arvbox/fed-config.cwl b/sdk/cwl/tests/federation/arvbox/fed-config.cwl index 77567ee89d..76523a56be 100644 --- a/sdk/cwl/tests/federation/arvbox/fed-config.cwl +++ b/sdk/cwl/tests/federation/arvbox/fed-config.cwl @@ -13,6 +13,7 @@ inputs: cluster_ids: string[] cluster_hosts: string[] arvbox_data: Directory + arvbox_bin: File outputs: arvbox_data_out: type: Directory @@ -60,7 +61,7 @@ arguments: valueFrom: | docker cp cluster_config.yml.override $(inputs.container_name):/var/lib/arvados docker cp application.yml.override $(inputs.container_name):/usr/src/arvados/services/api/config - arvbox sv restart api - arvbox sv restart controller - arvbox sv restart keepstore0 - arvbox sv restart keepstore1 + $(inputs.arvbox_bin.path) sv restart api + $(inputs.arvbox_bin.path) sv restart controller + $(inputs.arvbox_bin.path) sv restart keepstore0 + $(inputs.arvbox_bin.path) sv restart keepstore1 diff --git a/sdk/cwl/tests/federation/arvbox/start.cwl b/sdk/cwl/tests/federation/arvbox/start.cwl index f69775a530..a0b3e1864b 100644 --- a/sdk/cwl/tests/federation/arvbox/start.cwl +++ b/sdk/cwl/tests/federation/arvbox/start.cwl @@ -10,6 +10,7 @@ $namespaces: inputs: container_name: string arvbox_data: Directory + arvbox_bin: File outputs: cluster_id: type: string @@ -66,7 +67,7 @@ requirements: arguments: - shellQuote: false valueFrom: | - set -e - arvbox start dev - arvbox status > status.txt - arvbox cat /var/lib/arvados/superuser_token > superuser_token.txt \ No newline at end of file + set -ex + $(inputs.arvbox_bin.path) start dev + $(inputs.arvbox_bin.path) status > status.txt + $(inputs.arvbox_bin.path) cat /var/lib/arvados/superuser_token > superuser_token.txt diff --git a/sdk/python/arvados/commands/federation_migrate.py b/sdk/python/arvados/commands/federation_migrate.py index a7d9414d9d..e533a642ce 100755 --- a/sdk/python/arvados/commands/federation_migrate.py +++ b/sdk/python/arvados/commands/federation_migrate.py @@ -3,6 +3,15 @@ # # SPDX-License-Identifier: Apache-2.0 +# +# Migration tool for merging user accounts belonging to the same user +# but on separate clusters to use a single user account managed by a +# specific cluster. +# +# If you're working on this, see +# arvados/sdk/python/tests/fed-migrate/README for information about +# the testing infrastructure. + import arvados import arvados.util import arvados.errors @@ -67,7 +76,7 @@ def connect_clusters(args): continue if not cur["is_admin"]: - errors.append("Not admin of %s" % host) + errors.append("User %s is not admin on %s" % (cur["uuid"], arv._rootDesc["uuidPrefix"])) continue for r in clusters: diff --git a/sdk/python/tests/fed-migrate/arvbox-make-federation.cwl b/sdk/python/tests/fed-migrate/arvbox-make-federation.cwl index c3fcbdcb3f..5057d4cb18 100644 --- a/sdk/python/tests/fed-migrate/arvbox-make-federation.cwl +++ b/sdk/python/tests/fed-migrate/arvbox-make-federation.cwl @@ -18,6 +18,9 @@ outputs: arvbox_containers: type: string[] outputSource: start/arvbox_containers + arvbox_bin: + type: File + outputSource: start/arvbox_bin requirements: SubworkflowFeatureRequirement: {} cwltool:LoadListingRequirement: @@ -26,5 +29,5 @@ steps: start: in: arvbox_base: arvbox_base - out: [arvados_api_hosts, arvados_cluster_ids, arvado_api_host_insecure, superuser_tokens, arvbox_containers] + out: [arvados_api_hosts, arvados_cluster_ids, arvado_api_host_insecure, superuser_tokens, arvbox_containers, arvbox_bin] run: ../../../cwl/tests/federation/arvbox-make-federation.cwl diff --git a/sdk/python/tests/fed-migrate/fed-migrate.cwl b/sdk/python/tests/fed-migrate/fed-migrate.cwl index 313946dd3d..cb686847e4 100644 --- a/sdk/python/tests/fed-migrate/fed-migrate.cwl +++ b/sdk/python/tests/fed-migrate/fed-migrate.cwl @@ -131,6 +131,7 @@ $graph: - class: EnvVarRequirement envDef: ARVADOS_API_HOST: $(inputs.host) + ARVADOS_API_HOST_INSECURE: '1' ARVADOS_API_TOKEN: $(inputs.token) steps: - id: main_2_embed_1 @@ -334,6 +335,11 @@ $graph: - default: arv-federation-migrate id: fed_migrate type: string + - id: arvbox_bin + type: File + - default: 15531-logincluster-migrate + id: refspec + type: string outputs: - id: supertok outputSource: main_2/supertok @@ -369,6 +375,8 @@ $graph: type: string - id: main_2 in: + arvbox_bin: + source: arvbox_bin cluster_id: source: arvados_cluster_ids container: @@ -377,6 +385,8 @@ $graph: source: arvados_api_hosts logincluster: source: main_1/logincluster + refspec: + source: refspec out: - supertok run: @@ -391,6 +401,10 @@ $graph: type: string - id: logincluster type: string + - id: arvbox_bin + type: File + - id: refspec + type: string outputs: - id: supertok outputSource: superuser_tok_3/superuser_token @@ -456,12 +470,16 @@ $graph: InlineJavascriptRequirement: {} - id: main_2_embed_2 in: + arvbox_bin: + source: arvbox_bin c: source: main_2_embed_1/c container: source: container host: source: host + refspec: + source: refspec out: - d run: @@ -475,8 +493,12 @@ $graph: type: string - id: host type: string + - id: arvbox_bin + type: File - id: c type: string + - id: refspec + type: string outputs: - id: d outputBinding: @@ -486,9 +508,21 @@ $graph: InitialWorkDirRequirement: listing: - entry: > - set -x + set -xe + + $(inputs.arvbox_bin.path) pipe <>> return container as c } - run tool(container, host, c) { + run tool(container, host, arvbox_bin, c, refspec) { sh <<< -set -x -arvbox hotreset +set -xe +$(inputs.arvbox_bin.path) pipe </dev/null ; do sleep 3 ; done export ARVADOS_API_HOST=$(inputs.host) -export ARVADOS_API_TOKEN=\$(arvbox cat /var/lib/arvados/superuser_token) +export ARVADOS_API_TOKEN=\$($(inputs.arvbox_bin.path) cat /var/lib/arvados/superuser_token) export ARVADOS_API_HOST_INSECURE=1 -ARVADOS_VIRTUAL_MACHINE_UUID=\$(arvbox cat /var/lib/arvados/vm-uuid) +ARVADOS_VIRTUAL_MACHINE_UUID=\$($(inputs.arvbox_bin.path) cat /var/lib/arvados/vm-uuid) while ! python -c "import arvados ; arvados.api().virtual_machines().get(uuid='$ARVADOS_VIRTUAL_MACHINE_UUID').execute()" 2>/dev/null ; do sleep 3; done >>> return c as d diff --git a/sdk/python/tests/fed-migrate/run-test.cwlex b/sdk/python/tests/fed-migrate/run-test.cwlex index ef37c51520..55ac6a7408 100644 --- a/sdk/python/tests/fed-migrate/run-test.cwlex +++ b/sdk/python/tests/fed-migrate/run-test.cwlex @@ -22,7 +22,8 @@ def workflow main( EnvVarRequirement { envDef: { ARVADOS_API_HOST: "$(inputs.host)", - ARVADOS_API_TOKEN: "$(inputs.token)" + ARVADOS_API_TOKEN: "$(inputs.token)", + ARVADOS_API_HOST_INSECURE: "1" } } } diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox index bdbd5fa23f..246229decf 100755 --- a/tools/arvbox/bin/arvbox +++ b/tools/arvbox/bin/arvbox @@ -19,11 +19,13 @@ if ! which docker >/dev/null 2>/dev/null ; then fi if test -z "$ARVBOX_DOCKER" ; then + set +e if which greadlink >/dev/null 2>/dev/null ; then ARVBOX_DOCKER=$(greadlink -f $(dirname $0)/../lib/arvbox/docker) else ARVBOX_DOCKER=$(readlink -f $(dirname $0)/../lib/arvbox/docker) fi + set -e fi if test -z "$ARVBOX_CONTAINER" ; then -- 2.30.2