[arvados] updated: 2.1.0-2636-g6bcc2cf0d
git repository hosting
git at public.arvados.org
Mon Jul 4 17:41:30 UTC 2022
Summary of changes:
doc/_config.yml | 2 +-
...ados-sync-external-sources.html.textile.liquid} | 53 ++++++++++++++++---
tools/sync-users/sync-users.go | 59 ++++++++++++----------
tools/sync-users/sync-users_test.go | 4 +-
4 files changed, 83 insertions(+), 35 deletions(-)
rename doc/user/topics/{arvados-sync-groups.html.textile.liquid => arvados-sync-external-sources.html.textile.liquid} (51%)
via 6bcc2cf0dea668fd5c00af9f859e0c4327fbfa14 (commit)
via 48495e8ed3c15aefa94561ecf7caedc6ad716514 (commit)
from 36f730574cf6d5f720656de6a102963af5e15cab (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 6bcc2cf0dea668fd5c00af9f859e0c4327fbfa14
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon Jul 4 14:40:57 2022 -0300
18858: Adds first/last name updates, with tests.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/sync-users/sync-users.go b/tools/sync-users/sync-users.go
index 001014255..37b94a9f4 100644
--- a/tools/sync-users/sync-users.go
+++ b/tools/sync-users/sync-users.go
@@ -359,6 +359,12 @@ type userRecord struct {
Admin bool
}
+func needsUpdating(user arvados.User, record userRecord) bool {
+ userData := userRecord{"", user.FirstName, user.LastName, user.IsActive, user.IsAdmin}
+ recordData := userRecord{"", record.FirstName, record.LastName, record.Active, record.Admin}
+ return userData != recordData
+}
+
// ProcessRecord creates or updates a user based on the given record
func ProcessRecord(cfg *ConfigParams, record userRecord, userIDToUUID map[string]string, allUsers map[string]arvados.User) (bool, error) {
if cfg.Verbose {
@@ -372,8 +378,8 @@ func ProcessRecord(cfg *ConfigParams, record userRecord, userIDToUUID map[string
// Check if user exists, set its active & admin status.
var user arvados.User
recordUUID := userIDToUUID[record.UserID]
- user, ok := allUsers[recordUUID]
- if !ok {
+ user, found := allUsers[recordUUID]
+ if !found {
if cfg.Verbose {
log.Printf("User %q does not exist, creating", record.UserID)
}
@@ -388,44 +394,45 @@ func ProcessRecord(cfg *ConfigParams, record userRecord, userIDToUUID map[string
if err != nil {
return false, fmt.Errorf("error creating user %q: %s", record.UserID, err)
}
- }
- if record.Active != user.IsActive {
+ } else if needsUpdating(user, record) {
updateRequired = true
if record.Active {
- if cfg.Verbose {
- log.Printf("User %q is inactive, activating", record.UserID)
+ if !user.IsActive && cfg.Verbose {
+ log.Printf("User %q (%s) is inactive, activating", record.UserID, user.UUID)
}
// Here we assume the 'setup' is done elsewhere if needed.
err := UpdateUser(cfg.Client, user.UUID, &user, map[string]string{
- "is_active": wantedActiveStatus,
- "is_admin": wantedAdminStatus, // Just in case it needs to be changed.
+ "first_name": record.FirstName,
+ "last_name": record.LastName,
+ "is_active": wantedActiveStatus,
+ "is_admin": wantedAdminStatus,
})
if err != nil {
return false, fmt.Errorf("error updating user %q: %s", record.UserID, err)
}
} else {
- if cfg.Verbose {
- log.Printf("User %q is active, deactivating", record.UserID)
+ fnChanged := user.FirstName != record.FirstName
+ lnChanged := user.LastName != record.LastName
+ if fnChanged || lnChanged {
+ err := UpdateUser(cfg.Client, user.UUID, &user, map[string]string{
+ "first_name": record.FirstName,
+ "last_name": record.LastName,
+ })
+ if err != nil {
+ return false, fmt.Errorf("error updating user %q: %s", record.UserID, err)
+ }
}
- err := UnsetupUser(cfg.Client, user.UUID, &user)
- if err != nil {
- return false, fmt.Errorf("error deactivating user %q: %s", record.UserID, err)
+ if user.IsActive {
+ if cfg.Verbose {
+ log.Printf("User %q is active, deactivating", record.UserID)
+ }
+ err := UnsetupUser(cfg.Client, user.UUID, &user)
+ if err != nil {
+ return false, fmt.Errorf("error deactivating user %q: %s", record.UserID, err)
+ }
}
}
}
- // Inactive users cannot be admins.
- if user.IsActive && record.Admin != user.IsAdmin {
- if cfg.Verbose {
- log.Printf("User %q is active, changing admin status to %v", record.UserID, record.Admin)
- }
- updateRequired = true
- err := UpdateUser(cfg.Client, user.UUID, &user, map[string]string{
- "is_admin": wantedAdminStatus,
- })
- if err != nil {
- return false, fmt.Errorf("error updating user %q: %s", record.UserID, err)
- }
- }
allUsers[record.UserID] = user
if createRequired {
log.Printf("Created user %q", record.UserID)
diff --git a/tools/sync-users/sync-users_test.go b/tools/sync-users/sync-users_test.go
index 5c272b0da..8b5385a32 100644
--- a/tools/sync-users/sync-users_test.go
+++ b/tools/sync-users/sync-users_test.go
@@ -312,9 +312,11 @@ func (s *TestSuite) TestUserCreationAndUpdate(c *C) {
c.Assert(foundUser.IsActive, Equals, r.Active)
c.Assert(foundUser.IsAdmin, Equals, (r.Active && r.Admin))
}
- // User active status switch
+ // User update
for idx := range records {
records[idx].Active = !records[idx].Active
+ records[idx].FirstName = records[idx].FirstName + "Updated"
+ records[idx].LastName = records[idx].LastName + "Updated"
}
tmpfile, err = MakeTempCSVFile(RecordsToStrings(records))
c.Assert(err, IsNil)
commit 48495e8ed3c15aefa94561ecf7caedc6ad716514
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon Jul 4 13:39:46 2022 -0300
18858: Expands documentation to include the new tool.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/doc/_config.yml b/doc/_config.yml
index 7c5e6d986..d2bb7e797 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -177,7 +177,7 @@ navbar:
- admin/federation.html.textile.liquid
- admin/merge-remote-account.html.textile.liquid
- admin/migrating-providers.html.textile.liquid
- - user/topics/arvados-sync-groups.html.textile.liquid
+ - user/topics/arvados-sync-external-sources.html.textile.liquid
- admin/scoped-tokens.html.textile.liquid
- admin/token-expiration-policy.html.textile.liquid
- admin/user-activity.html.textile.liquid
diff --git a/doc/user/topics/arvados-sync-groups.html.textile.liquid b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
similarity index 51%
rename from doc/user/topics/arvados-sync-groups.html.textile.liquid
rename to doc/user/topics/arvados-sync-external-sources.html.textile.liquid
index 1f7eede4b..0ec0098f0 100644
--- a/doc/user/topics/arvados-sync-groups.html.textile.liquid
+++ b/doc/user/topics/arvados-sync-external-sources.html.textile.liquid
@@ -1,7 +1,7 @@
---
layout: default
navsection: admin
-title: "Synchronizing external groups"
+title: "Synchronizing from external sources"
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.
@@ -9,7 +9,51 @@ Copyright (C) The Arvados Authors. All rights reserved.
SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
-The @arvados-sync-groups@ tool allows to synchronize groups in Arvados from an external source.
+The @arvados-sync-users@ and @arvados-sync-groups@ tools allow to manage Arvados users & groups from external sources.
+
+These tools are designed to be run periodically reading a file created by a remote auth system (ie: LDAP) dump script, applying what's included on the file as the source of truth.
+
+bq. NOTE: Both tools need to perform several administrative tasks on Arvados, so must be run using a superuser token via @ARVADOS_API_HOST@ and @ARVADOS_API_TOKEN@ environment variables or @~/.config/arvados/settings.conf@ file.
+
+h1. Using arvados-sync-users
+
+This tool reads a CSV (comma-separated values) file having information about user accounts and their expected state on Arvados.
+
+Every line on the file should have 5 fields:
+
+# A user identifier: it could be an email address (default) or a username.
+# The user's first name.
+# The user's last name.
+# The intended user's active state.
+# The intended user's admin state: will always be read as @false@ when @active=false at .
+
+The last 2 fields should be represented as @true@/@false@, @yes@/@no@, or @1@/@0@ values.
+
+h2. Options
+
+The following command line options are supported:
+
+table(table table-bordered table-condensed).
+|_. Option |_. Description |
+|==--help==|This list of options|
+|==--case-insensitive==|Uses case-insensitive username matching|
+|==--deactivate-unlisted==|Deactivate users that aren't listed on the input file. (Current & system users won't be affected)|
+|==--user-id==|Identifier to use in looking up user. One of 'email' or 'username' (Default: 'email')|
+|==--verbose==|Log informational messages|
+|==--version==|Print version and exit|
+
+The tool will create users when needed, and update those existing records to match the desired state described by the fields on the CSV file.
+System users like the root and anonymous are unaffected by this tool.
+In the case of a @LoginCluster@ federation, this tool should be run on the cluster that manages the user accounts, and will fail otherwise.
+
+h2. Example
+
+To sync users using the username to identify every account, reading from some @external_users.csv@ file and deactivating existing users that aren't included in it, the command should be called as follows:
+
+<notextile>
+<pre><code>~$ <span class="userinput">arvados-sync-users --deactivate-unlisted --user-id username /path/to/external_users.csv </span>
+</code></pre>
+</notextile>
h1. Using arvados-sync-groups
@@ -21,11 +65,6 @@ Users can be identified by their email address or username: the tool will check
Permission level can be one of the following: @can_read@, @can_write@ or @can_manage@, giving the group member read, read/write or managing privileges on the group. For backwards compatibility purposes, if any record omits the third (permission) field, it will default to @can_write@ permission. You can read more about permissions on the "group management admin guide":{{ site.baseurl }}/admin/group-management.html.
-This tool is designed to be run periodically reading a file created by a remote auth system (ie: LDAP) dump script, applying what's included on the file as the source of truth.
-
-
-bq. NOTE: @arvados-sync-groups@ needs to perform several administrative tasks on Arvados, so must be run using a superuser token
-
h2. Options
The following command line options are supported:
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list