Tokens and User Impersonation

ICE ClusterWare ™ users can create service tokens that impersonate their ClusterWare permissions using the cw-adminctl token command. For example, you can set up a token with a custom lifespan to be used to upload scheduler data to ClusterWare. The following command creates a token for the current user that lasts 7 days:

cw-adminctl token --lifespan 7d

See sched-watcher Deployment for an example of setting up sched_watcher with an authentication token.

ClusterWare users with the AdminWrite permission can impersonate a different user, which allows them to complete actions like creating a ticket that appears to originate from another user. Alternatively, it can be used to create a lower-permission token for system uses. See Role-Based Access Control System for details about default roles and permissions.

Run the following command to generate a token for the user you want to impersonate:

cw-adminctl -i <otheruser> token

Where <otheruser> is replaced by the user ID of the user you want to impersonate.

For example, if user admin1 runs the following command, a token will be generated for user user1:

cw-adminctl -i user1 token

Note

If you are using Keycloak and want to impersonate another ClusterWare user, you first need to enable fine-grained permissions and the "impersonate" feature. See Impersonate Keycloak User for details.