Arvados Docs
WARNING - you are viewing the documentation for an old version of Arvados. For the latest version, click here.
  1. Topics
    1. Arvados admin overview
  2. Upgrading and migrations
    1. Upgrading Arvados and Release notes
    2. Migrating from Docker 1.9
    3. Upgrading to Containers API
  3. Users and Groups
    1. User management at the CLI
    2. User activation
    3. Migrating a user to a federated account
    4. Migrating account providers
    5. Synchronizing external groups
  4. Monitoring
    1. Health checks
    2. Metrics
    3. Management token
  5. Cloud
    1. Configuring storage classes
    2. Using AWS Spot instances
  6. Other
    1. Configuring collection versioning
    2. Configuring federation

Migrating a user to a federated account

When you use federation capabilities to connect two or more clusters that were already operating, some users might already have accounts on multiple clusters. Typically, they will want to choose a single account on one of the clusters and abandon the rest, transferring all data or permissions from their old “remote” accounts to a single “home” account.

This effect can be achieved by changing the UUIDs of the user records on the remote clusters. This should be done before the user has ever used federation features to access cluster B with cluster A credentials. Otherwise, see “managing conflicting accounts” below.

For example, a user might have:

  • an account A on cluster A with uuid aaaaa-tpzed-abcdefghijklmno, and
  • an account B on cluster B with uuid bbbbb-tpzed-lmnopqrstuvwxyz

An administrator at cluster B can merge the two accounts by renaming account B to account A.

#!/usr/bin/env python
import arvados
arvados.api('v1').users().update_uuid(
    uuid="bbbbb-tpzed-lmnopqrstuvwxyz",
    new_uuid="aaaaa-tpzed-abcdefghijklmno").execute()

This should be done when the user is idle, i.e., not logged in and not running any jobs or containers.

Managing conflicting accounts

If the user has already used federation capabilities to access cluster B using account A before the above migration has been done, this will have already created a database entry for account A on cluster B, and the above program will error out. To fix this, the same update_uuid API call can be used to move the conflicting account out of the way first.

#!/usr/bin/env python
import arvados
import random
import string
random_chars = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(15))
arvados.api('v1').users().update_uuid(
    uuid="aaaaa-tpzed-abcdefghijklmno",
    new_uuid="bbbbb-tpzed-"+random_chars).execute()

After this is done and the migration is complete, the affected user should wait 5 minutes for the authorization cache to expire before using the remote cluster.

Previous: User activation Next: Migrating account providers

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.