# Notebook for Updating the Service Accounts in the Token Generator Role

When creating a new tenant, a list of services is provided for the `token_gen_services` attribute. This attribute
takes value which is a list of strings, where each string is the name of a service allowed to create tokens
on behalf of end users.

Some times, administrators may need to modify the list of such services. This notebook provides scripts which
can be used to do that.

In [None]:
pip install tapipy


In [None]:
from tapipy.tapis import Tapis

import requests
# Set the base_url to the admin tenant of the instance in which you would like to create the tenant.
base_url = ''
# Example:
# base_url = 'https://admin.develop.tapis.io'

# Set the id of the admin tenant for your site:
tenant_id = ''

# Example:
# tenant_id = "admin"

In [None]:
# We require a service JWT representing the Tokens API at the primary site.
# to get one, exec into the token container and run the followiing python
# # # from service.auth import t
# # # t.service_tokens['admin']['access_token'].access_token

# Example:
# tokens_jwt = 'eyJ0eX...'

tokens_jwt = ''

# ------------------------------------------

# create a tapipy client representing the tokens service -
from tapipy.tapis import Tapis
t = Tapis(base_url=base_url, access_token=tokens_jwt, is_tapis_service=True, tenant_id=tenant_id)
headers = {'X-Tapis-Token': tokens_jwt, 'X-Tapis-Tenant': tenant_id, 'X-Tapis-User': 'tokens'}

# check access with the tokens jwt -
t.tenants.get_tenant(tenant_id=tenant_id, headers=headers)
rsp.status

## List the Token Generators for a Tenant

Token generators are authorized to generate tokens for specific user tenants.
First, we'll list which services can currently generate tokens for a user tenant.

In [None]:
# The user tenant to list token generators in
user_tenant = ''

# Example:
# user_tenant = 'dev'

token_generator_role = f"{user_tenant}_token_generator"
t.sk.getUsersWithRole(roleName=token_generator_role, tenant=tenant_id, headers=headers)

## Add New Token Generators for a Tenant

We can add new service names to the token generator role to allow them to 
generate tokens on behalf of users.

In [None]:
# The user tenant to list token generators in
user_tenant = ''

# Example:
# user_tenant = 'dev'

# The service account to grant the token generator role to:
token_generator_service = ''

# Example:
# token_generator_service = 'authenticator2'

token_generator_role = f"{user_tenant}_token_generator"
t.sk.grantRole(roleName=token_generator_role, tenant=tenant_id, user=token_generator_service headers=headers)

At this point, you should probably run the `getUsersWithRole` function in the previous section to 
confirm that the account was added.

## Remove Services from the Token Generator Role

We can also remove services from the list of token generators.

In [None]:
# The user tenant to list token generators in
user_tenant = ''

# Example:
# user_tenant = 'dev'

# The service account to remove the token generator role from:
service_to_remove = ''

# Example:
# service_to_remove = 'authenticator2'

token_generator_role = f"{user_tenant}_token_generator"
t.sk.revokeUserRole(roleName=token_generator_role, tenant=tenant_id, user=service_to_remove, headers=headers)

At this point, you should probably run the `getUsersWithRole` function in the previous section to 
confirm that the account was removed.