[arvados] updated: 2.6.0-13-g153202359
git repository hosting
git at public.arvados.org
Mon Apr 17 18:48:11 UTC 2023
Summary of changes:
doc/install/setup-login.html.textile.liquid | 24 ++++-
.../api/app/controllers/database_controller.rb | 2 +-
services/api/lib/current_api_client.rb | 106 ++++++++++-----------
3 files changed, 76 insertions(+), 56 deletions(-)
via 153202359752a4516dba5fdfad32e867052d1603 (commit)
via ce14d7325d9488b7595d2e6acc65904885c81361 (commit)
from d668948b481a9f055e85dcb3798d807f96681417 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 153202359752a4516dba5fdfad32e867052d1603
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Mon Apr 17 14:43:01 2023 -0400
Merge branch '20123-access-token-doc' refs #20123
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 21b986fb8..a9991f642 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -45,7 +45,11 @@ Use the <a href="https://console.developers.google.com" target="_blank">Google D
h2(#oidc). OpenID Connect
-With this configuration, users will sign in with a third-party OpenID Connect provider. The provider will supply appropriate values for the issuer URL, client ID, and client secret config entries.
+With this configuration, users will sign in with a third-party OpenID Connect provider such as GitHub, Auth0, Okta, or PingFederate.
+
+Similar to the Google login section above, you will need to register your Arvados cluster with the provider as an application (relying party). When asked for a redirect URL or callback URL, use @https://ClusterID.example.com/login@ (the external URL of your controller service, plus @/login@).
+
+The provider will supply an issuer URL, client ID, and client secret. Add these to your Arvados configuration.
{% codeblock as yaml %}
Login:
@@ -56,6 +60,24 @@ With this configuration, users will sign in with a third-party OpenID Connect pr
ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
{% endcodeblock %}
+h3. Accepting OpenID bearer tokens as Arvados API tokens
+
+Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens by setting @Login.OpenIDConnect.AcceptAccessToken@ to @true at . This can be useful for integrating third party applications.
+
+{% codeblock as yaml %}
+ Login:
+ OpenIDConnect:
+ AcceptAccessToken: true
+ AcceptAccessTokenScope: "arvados"
+{% endcodeblock %}
+
+# If the provider-issued tokens are JWTs, and @Login.OpenIDConnect.AcceptAccessTokenScope@ is not empty, Arvados will check that the token contains the configured scope, and reject tokens that do not have the configured scope. This can be used to control which users or applications are permitted to access your Arvados instance.
+# Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider.
+# Once validated, a token is cached and accepted without re-checking for up to 10 minutes.
+# A token that fails validation is cached and will not be re-checked for up to 5 minutes.
+# Network errors and HTTP 5xx responses from the provider's UserInfo endpoint are not cached.
+# The OIDC token cache size is currently limited to 1000 tokens, if the number of distinct tokens used in a 5 minute period is greater than this, tokens may be checked more frequently.
+
Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
h2(#ldap). LDAP
commit ce14d7325d9488b7595d2e6acc65904885c81361
Author: Tom Clegg <tom at curii.com>
Date: Mon Apr 17 11:06:54 2023 -0400
Merge branch '20203-rails-cache'
fixes #20203
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/services/api/app/controllers/database_controller.rb b/services/api/app/controllers/database_controller.rb
index 69453959d..6bcbd5279 100644
--- a/services/api/app/controllers/database_controller.rb
+++ b/services/api/app/controllers/database_controller.rb
@@ -61,7 +61,7 @@ class DatabaseController < ApplicationController
ActiveRecord::FixtureSet.
create_fixtures(Rails.root.join('test', 'fixtures'), fixturesets)
- # Dump cache of permissions etc.
+ # Reset cache and global state
Rails.cache.clear
ActiveRecord::Base.connection.clear_query_cache
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index ee666b77a..7c99c911f 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -2,16 +2,6 @@
#
# SPDX-License-Identifier: AGPL-3.0
-$system_user = nil
-$system_group = nil
-$all_users_group = nil
-$anonymous_user = nil
-$anonymous_group = nil
-$anonymous_group_read_permission = nil
-$empty_collection = nil
-$public_project_group = nil
-$public_project_group_read_permission = nil
-
module CurrentApiClient
def current_user
Thread.current[:user]
@@ -74,26 +64,26 @@ module CurrentApiClient
end
def system_user
- $system_user = check_cache $system_user do
- real_current_user = Thread.current[:user]
- begin
- Thread.current[:user] = User.new(is_admin: true,
- is_active: true,
- uuid: system_user_uuid)
+ real_current_user = Thread.current[:user]
+ begin
+ Thread.current[:user] = User.new(is_admin: true,
+ is_active: true,
+ uuid: system_user_uuid)
+ $system_user = check_cache($system_user) do
User.where(uuid: system_user_uuid).
first_or_create!(is_active: true,
is_admin: true,
email: 'root',
first_name: 'root',
last_name: '')
- ensure
- Thread.current[:user] = real_current_user
end
+ ensure
+ Thread.current[:user] = real_current_user
end
end
def system_group
- $system_group = check_cache $system_group do
+ $system_group = check_cache($system_group) do
act_as_system_user do
ActiveRecord::Base.transaction do
Group.where(uuid: system_group_uuid).
@@ -120,7 +110,7 @@ module CurrentApiClient
end
def all_users_group
- $all_users_group = check_cache $all_users_group do
+ $all_users_group = check_cache($all_users_group) do
act_as_system_user do
ActiveRecord::Base.transaction do
Group.where(uuid: all_users_group_uuid).
@@ -156,7 +146,7 @@ module CurrentApiClient
end
def anonymous_group
- $anonymous_group = check_cache $anonymous_group do
+ $anonymous_group = check_cache($anonymous_group) do
act_as_system_user do
ActiveRecord::Base.transaction do
Group.where(uuid: anonymous_group_uuid).
@@ -169,8 +159,7 @@ module CurrentApiClient
end
def anonymous_group_read_permission
- $anonymous_group_read_permission =
- check_cache $anonymous_group_read_permission do
+ $anonymous_group_read_permission = check_cache($anonymous_group_read_permission) do
act_as_system_user do
Link.where(tail_uuid: all_users_group.uuid,
head_uuid: anonymous_group.uuid,
@@ -181,7 +170,7 @@ module CurrentApiClient
end
def anonymous_user
- $anonymous_user = check_cache $anonymous_user do
+ $anonymous_user = check_cache($anonymous_user) do
act_as_system_user do
User.where(uuid: anonymous_user_uuid).
first_or_create!(is_active: false,
@@ -201,7 +190,7 @@ module CurrentApiClient
end
def public_project_group
- $public_project_group = check_cache $public_project_group do
+ $public_project_group = check_cache($public_project_group) do
act_as_system_user do
ActiveRecord::Base.transaction do
Group.where(uuid: public_project_uuid).
@@ -214,8 +203,7 @@ module CurrentApiClient
end
def public_project_read_permission
- $public_project_group_read_permission =
- check_cache $public_project_group_read_permission do
+ $public_project_group_read_permission = check_cache($public_project_group_read_permission) do
act_as_system_user do
Link.where(tail_uuid: anonymous_group.uuid,
head_uuid: public_project_group.uuid,
@@ -226,7 +214,7 @@ module CurrentApiClient
end
def anonymous_user_token_api_client
- $anonymous_user_token_api_client = check_cache $anonymous_user_token_api_client do
+ $anonymous_user_token_api_client = check_cache($anonymous_user_token_api_client) do
act_as_system_user do
ActiveRecord::Base.transaction do
ApiClient.find_or_create_by!(is_trusted: false, url_prefix: "", name: "AnonymousUserToken")
@@ -236,7 +224,7 @@ module CurrentApiClient
end
def system_root_token_api_client
- $system_root_token_api_client = check_cache $system_root_token_api_client do
+ $system_root_token_api_client = check_cache($system_root_token_api_client) do
act_as_system_user do
ActiveRecord::Base.transaction do
ApiClient.find_or_create_by!(is_trusted: true, url_prefix: "", name: "SystemRootToken")
@@ -250,7 +238,7 @@ module CurrentApiClient
end
def empty_collection
- $empty_collection = check_cache $empty_collection do
+ $empty_collection = check_cache($empty_collection) do
act_as_system_user do
ActiveRecord::Base.transaction do
Collection.
@@ -269,31 +257,41 @@ module CurrentApiClient
end
end
- private
-
- # If the given value is nil, or the cache has been cleared since it
- # was set, yield. Otherwise, return the given value.
- def check_cache value
- if not Rails.env.test? and
- ActionController::Base.cache_store.is_a? ActiveSupport::Cache::FileStore and
- not File.owned? ActionController::Base.cache_store.cache_path
- # If we don't own the cache dir, we're probably
- # crunch-dispatch. Whoever we are, using this cache is likely to
- # either fail or screw up the cache for someone else. So we'll
- # just assume the $globals are OK to live forever.
- #
- # The reason for making the globals expire with the cache in the
- # first place is to avoid leaking state between test cases: in
- # production, we don't expect the database seeds to ever go away
- # even when the cache is cleared, so there's no particular
- # reason to expire our global variables.
+ # Purge the module globals if necessary. If the cached value is
+ # non-nil and the globals weren't purged, return the cached
+ # value. Otherwise, call the block.
+ #
+ # Purge is only done in test mode.
+ def check_cache(cached)
+ if Rails.env != 'test'
+ return (cached || yield)
+ end
+ t = Rails.cache.fetch "CurrentApiClient.$system_globals_reset" do
+ Time.now.to_f
+ end
+ if t != $system_globals_reset
+ reset_system_globals(t)
+ yield
else
- Rails.cache.fetch "CurrentApiClient.$globals" do
- value = nil
- true
- end
+ cached || yield
end
- return value unless value.nil?
- yield
end
+
+ def reset_system_globals(t)
+ $system_globals_reset = t
+ $system_user = nil
+ $system_group = nil
+ $all_users_group = nil
+ $anonymous_group = nil
+ $anonymous_group_read_permission = nil
+ $anonymous_user = nil
+ $public_project_group = nil
+ $public_project_group_read_permission = nil
+ $anonymous_user_token_api_client = nil
+ $system_root_token_api_client = nil
+ $empty_collection = nil
+ end
+ module_function :reset_system_globals
end
+
+CurrentApiClient.reset_system_globals(0)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list