[ARVADOS] updated: 1.3.0-2255-gf1c8d1e67
Git user
git at public.arvados.org
Thu Mar 12 21:46:43 UTC 2020
Summary of changes:
doc/admin/scoped-tokens.html.textile.liquid | 43 ++++++++++++++++++++++++-----
doc/sdk/python/cookbook.html.textile.liquid | 2 +-
2 files changed, 37 insertions(+), 8 deletions(-)
via f1c8d1e67abd4ee325b2edcea3d29a8eefc043eb (commit)
via 992bddc9714a331e854940896d747c38eb58683d (commit)
from ff785b1f1639dfc3d9666731326796963e47bbab (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit f1c8d1e67abd4ee325b2edcea3d29a8eefc043eb
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Mar 12 17:46:21 2020 -0400
16129: Link to collection sharing link example.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/scoped-tokens.html.textile.liquid b/doc/admin/scoped-tokens.html.textile.liquid
index 477fc396e..44da1d4d3 100644
--- a/doc/admin/scoped-tokens.html.textile.liquid
+++ b/doc/admin/scoped-tokens.html.textile.liquid
@@ -6,6 +6,8 @@ title: Securing API access with scoped tokens
By default, Arvados API tokens grant unlimited access to a user account, and admin account tokens have unlimited access to the whole system. If you want to grant restricted access to a user account, you can create a "scoped token" which is an Arvados API token which is limited to accessing specific APIs.
+One use of token scopes is to grant access to a collection to users who do not have an Arvados accounts on your cluster. This is done by creating scoped token that only allows getting a specific collection. See "Create a collection sharing link":{{site.baseurl}}/sdk/python/cookbook.html#sharing_link
+
h2. Defining scopes
A "scope" consists of a HTTP method and API path. A token can have multiple scopes. Token scopes act as a whitelist, and the API server checks the HTTP method and the API path of every request against the scopes of the request token.
diff --git a/doc/sdk/python/cookbook.html.textile.liquid b/doc/sdk/python/cookbook.html.textile.liquid
index 34f0a5014..bd7f64b33 100644
--- a/doc/sdk/python/cookbook.html.textile.liquid
+++ b/doc/sdk/python/cookbook.html.textile.liquid
@@ -162,7 +162,7 @@ for c in collection:
print(collection.open(c).read())
{% endcodeblock %}
-h2. Create a collection sharing link
+h2(#sharing_link). Create a collection sharing link
{% codeblock as python %}
import arvados
commit 992bddc9714a331e854940896d747c38eb58683d
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Thu Mar 12 17:10:59 2020 -0400
16129: Revise scoped token docs a bit, more examples
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/admin/scoped-tokens.html.textile.liquid b/doc/admin/scoped-tokens.html.textile.liquid
index 2303aeac7..477fc396e 100644
--- a/doc/admin/scoped-tokens.html.textile.liquid
+++ b/doc/admin/scoped-tokens.html.textile.liquid
@@ -4,13 +4,11 @@ navsection: admin
title: Securing API access with scoped tokens
...
-By default, Arvados API tokens grant unlimited access to a user account. A token associated with an admin account has unlimited access to the whole system. However, there are circumstances where you want to grant limited access to an account. You can limit which APIs a token has access to by setting "scopes" on the token.
+By default, Arvados API tokens grant unlimited access to a user account, and admin account tokens have unlimited access to the whole system. If you want to grant restricted access to a user account, you can create a "scoped token" which is an Arvados API token which is limited to accessing specific APIs.
-A scope consists of a HTTP method and API path. A token can have multiple scopes.
+h2. Defining scopes
-When a token has scopes, the API server checks the HTTP method and the API path of the request against the scopes of the token being used.
-
-h2. Example scopes
+A "scope" consists of a HTTP method and API path. A token can have multiple scopes. Token scopes act as a whitelist, and the API server checks the HTTP method and the API path of every request against the scopes of the request token.
These examples use @/arvados/v1/collections@, but can be applied to any endpoint. Consult the "API documentation":{{site.baseurl}}/api for details.
@@ -18,13 +16,13 @@ The scope @["GET", "/arvados/v1/collections"]@ will allow only GET or HEAD reque
A trailing slash in a scope is signficant. The scope @["GET", "/arvados/v1/collections/"]@ will allow only GET or HEAD requests *underneath* @collections@, so the request for an individual record path @/arvados/v1/collections/zzzzz-4zz18-0123456789abcde@) is allowed but a request to list collections will be denied.
-The scope can include an object uuid. The scope @["GET", "/arvados/v1/collections/zzzzz-4zz18-0123456789abcde"]@ permits requesting only the record @zzzzz-4zz18-0123456789abcde at .
+The scope can include an object uuid. The scope @["GET", "/arvados/v1/collections/zzzzz-4zz18-0123456789abcde"]@ only permits requests for the record @zzzzz-4zz18-0123456789abcde at .
Since a token can have multiple scopes, use @[["GET", "/arvados/v1/collections"], ["GET", "/arvados/v1/collections/"]]@ to allow both listing collections and fetching individual collection records.
Object create calls use the `POST` method. A scope of @["POST", "/arvados/v1/collections"]@ will allow creating collections, but not reading, listing or updating them (or accessing anything else).
-Object update calls use the `PATCH` method. A scope of @["POST", "/arvados/v1/collections/"]@ will allow updating collections, but not listing or creating them. (While GET requests are denied an object can be read indirectly by using an empty PATCH which will return the unmodified object as the result).
+Object update calls use the `PATCH` method. A scope of @["POST", "/arvados/v1/collections/"]@ will allow updating collections, but not listing or creating them. (Note: while GET requests are denied an object can be read indirectly by using an empty PATCH which will return the unmodified object as the result).
h2. Creating a scoped token
@@ -32,6 +30,35 @@ A scoped token can be created at the command line:
<pre>
$ arv api_client_authorization create --api-client-authorization '{"scopes": [["GET", "/arvados/v1/collections"], ["GET", "/arvados/v1/collections/"]]}'
+{
+ "href":"/api_client_authorizations/x1u39-gj3su-bizbsw0mx5pju3w",
+ "kind":"arvados#apiClientAuthorization",
+ "etag":"9yk144t0v6cvyp0342exoh2vq",
+ "uuid":"x1u39-gj3su-bizbsw0mx5pju3w",
+ "owner_uuid":"x1u39-tpzed-fr97h9t4m5jffxs",
+ "created_at":"2020-03-12T20:36:12.517375422Z",
+ "modified_by_client_uuid":null,
+ "modified_by_user_uuid":null,
+ "modified_at":null,
+ "user_id":3,
+ "api_client_id":7,
+ "api_token":"5a74htnoqwkhtfo2upekpfbsg04hv7cy5v4nowf7dtpxer086m",
+ "created_by_ip_address":null,
+ "default_owner_uuid":null,
+ "expires_at":null,
+ "last_used_at":null,
+ "last_used_by_ip_address":null,
+ "scopes":[
+ [
+ "GET",
+ "/arvados/v1/collections"
+ ],
+ [
+ "GET",
+ "/arvados/v1/collections/"
+ ]
+ ]
+}
</pre>
-The response will include `api_token` field which is the newly issued secret token.
+The response will include @api_token@ field which is the newly issued secret token. It can be passed directly to the API server that issued it, or can be used to construct a @v2@ token. A @v2@ format token is required if the token will be used to access other clusters in an Arvados federation. An Arvados @v2@ format token consists of three fields separate by slashes: the prefix @v2@, followed by the token uuid, followed by the token secret. For example: @v2/x1u39-gj3su-bizbsw0mx5pju3w/5a74htnoqwkhtfo2upekpfbsg04hv7cy5v4nowf7dtpxer086m at .
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list