[ARVADOS] created: 2.1.0-181-g4675340f6

Git user git at public.arvados.org
Wed Dec 2 22:09:22 UTC 2020 

        at  4675340f6a4c17fe99cdd140f98d9545b830875b (commit)


commit 4675340f6a4c17fe99cdd140f98d9545b830875b
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Wed Dec 2 17:08:49 2020 -0500

    17161: Improve SystemRootToken docs.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index b8442eb06..5677117ba 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -51,25 +51,25 @@ h3. Tokens
     API:
       RailsSessionSecretToken: <span class="userinput">"$rails_secret_token"</span>
     Collections:
-      BlobSigningKey: <span class="userinput">"blob_signing_key"</span>
+      BlobSigningKey: <span class="userinput">"$blob_signing_key"</span>
 </code></pre>
 </notextile>
 
- at SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.
+These secret tokens are used secure communications between Arvados components.
+* @SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.
+* @ManagementToken@ is used to authenticate access to system metrics.
+* @API.RailsSessionSecretToken@ is used to sign session cookies.
+* @Collections.BlobSigningKey@ is used to control access to Keep blocks.
 
- at ManagementToken@ is used to authenticate access to system metrics.
-
- at API.RailsSessionSecretToken@ is required by the API server.
-
- at Collections.BlobSigningKey@ is used to control access to Keep blocks.
-
-You can generate a random token for each of these items at the command line like this:
+Each token should be a string of at least 50 alphanumeric characters. You can generate a suitable token with the following command:
 
 <notextile>
-<pre><code>~$ <span class="userinput">tr -dc 0-9a-zA-Z </dev/urandom | head -c50; echo</span>
+<pre><code>~$ <span class="userinput">tr -dc 0-9a-zA-Z </dev/urandom | head -c50 ; echo</span>
 </code></pre>
 </notextile>
 
+Generate four tokens and add them to @/etc/arvados/config.yml@:
+
 h3. PostgreSQL.Connection
 
 <notextile>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 005d2738d..7e16688d9 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -12,6 +12,8 @@
 
 Clusters:
   xxxxx:
+    # Token used internally by Arvados components to authenticate to
+    # one another. Use a string of at least 50 random alphanumerics.
     SystemRootToken: ""
 
     # Token to be included in all healthcheck requests. Disabled by default.
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 885bb4b8c..934131bd8 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -18,6 +18,8 @@ var DefaultYAML = []byte(`# Copyright (C) The Arvados Authors. All rights reserv
 
 Clusters:
   xxxxx:
+    # Token used internally by Arvados components to authenticate to
+    # one another. Use a string of at least 50 random alphanumerics.
     SystemRootToken: ""
 
     # Token to be included in all healthcheck requests. Disabled by default.

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list