Using Tokens with the ClusterWareAI API and Tools#

ClusterWareAI ™ administrators can create a token with a custom lifespan either for themselves or, if they have the FullAdmin or Manager role, for another user. The token is used for authentication when attempting ClusterWareAI actions. See Tokens and User Impersonation for details.

The following examples detail possible use cases for tokens that impersonate users with limited permissions.

Using Impersonation Tokens to Set Attributes via API#

This example creates a token for a user in the Manager role and for a user in the Production Engineer role. The tokens are added to a login node, n0, and used to view and modify node attributes via the ClusterWareAI API. A user in the Manager role should not be able to modify node attributes, while a user in the Production Engineer role can.

As either a FullAdmin or Manager user:

  1. Create new users with the Manager role and the Production Engineer role:

    cw-adminctl create name=Manager roles=role.Manager
    cw-adminctl create name=ProdEng roles=role.ProductionEngineer
    
  2. Generate temporary tokens for the new users that last for one day:

    cw-adminctl -i Manager token --lifetime 1d --outfile manager.token
    cw-adminctl -i ProdEng token --lifetime 1d --outfile prodeng.token
    
  3. Copy the tokens to a directory that exists on the login node:

    cw-nodectl -i n0 scp prodeng.token manager.token r:/root/mytokens/
    
  4. Use the Manager token to list the attributes for node n1:

    baseurl="<head node IP>/api/v1"   # Replace with your head node IP address
    curlcmd="curl --insecure --silent"
    
    auth="Authorization: Bearer $(jq -r .access_token < manager.token)"
    ${curlcmd} --header "${auth}" ${baseurl}/whoami | jq
    ${curlcmd} --header "${auth}" ${baseurl}/node/n1/attributes | jq
    
  5. Use the Manager token to try to update an attribute. This results in a 403 permissions error.

    ${curlcmd} -v --header "${auth}" --request PUT --data '{"_boot_config": "GPUBoot"}' ${baseurl}/node/n1/attributes | jq
    
  6. Use the Production Engineer token to list the attributes for node n1:

    auth="Authorization: Bearer $(jq -r .access_token < prodeng.token)"
    ${curlcmd} --header "${auth}" ${baseurl}/whoami | jq
    ${curlcmd} --header "${auth}" ${baseurl}/node/n1/attributes | jq
    
  7. Use the Production Engineer token to update an attribute on node n1:

    ${curlcmd} --header "${auth}" --request PUT --data '{"_boot_style": "rwram"}' ${baseurl}/node/n1/attributes | jq
    ${curlcmd} --header "${auth}" ${baseurl}/node/n1/attributes | jq
    

Using Impersonation Tokens to Update Images via CLI Tools#

This example creates a token for a trusted cluster user in the Production Engineer role. The token is added to a login node, n0, and used to modify the image contents of node n10 using the ClusterWareAI CLI tools.

As either a FullAdmin or Manager user:

  1. Create a user with the Production Engineer role:

    cw-adminctl create name=ProdEng roles=role.ProductionEngineer
    
  2. Generate a temporary token for the new user that lasts for one day:

    cw-adminctl -i ProdEng token --lifetime 1d --outfile prodeng.token
    
  3. Copy the token to a directory that exists on the login node:

    cw-nodectl -i n0 scp prodeng.token r:/root/mytokens/
    
  4. On login node n0, install the clusterware-tools package:

    dnf install clusterware-tools
    
  5. On login node n0, modify the .scyldcw/settings.ini file to add the following line:

    client.authtkn = /root/mytokens/prodeng.token
    

    ClusterWareAI commands are now run as the ProdEng user.

  6. As the ProdEng user, review the contents of the image associated with node n10:

    cw-modimg -i n10 --query
    
  7. Update the image with the OpenMPI package:

    cw-modimg -i Rocky9Img --install openmpi5.0.9 --chroot --no-discard --overwrite --upload