[arvados-dev] recording user logins

[Tim Pierce]

Hey folks --

We haven't yet really been using the arvados-dev list, so I thought I might
as well kick it off.

For recording user logins, I came up with this:

1. Arvados login credentials (ARVADOS_API_TOKEN, ARVADOS_API_HOST, etc)
should go in a $HOME/.arvados file instead of .bashrc.

2. A script in /etc/profile.d/arvados.sh checks whether this file exists;
if so, it sources it and issues an `arv log create' command to add a log
table entry of type LOGIN.

3. User login history for a given user uuid can be retrieved with:
    arv log list --where '{"event_type":"LOGIN",
"owner_uuid":"qr1hi-owner-uuid"}'

Some of the pros of this scheme:
* Doesn't require changes or extensions to the models
* Sets the groundwork for having a uniform way for clients to find Arvados
auth credentials

Cons:
* Logins are arguably more like system-level events and should be logged by
the system user
* Opens potential confusion if the user generates LOGIN events of their own
* User can delete their own login records
* If user changes their shell to csh or zsh, they will no longer run
/etc/profile.d scripts

Our immediate goal is to have a way to tell quickly whether a user has
executed any interactive logins at all, so I think this is sufficient on
that front. Going forward, we should discuss how important it is to have
privilege separation for these events and the best way to go about doing
that.

--t.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arvados.org/pipermail/arvados-dev/attachments/20140102/067f3fb1/attachment.html>