[ARVADOS] updated: 1.1.0-42-gb509718

Git user git at public.curoverse.com
Thu Oct 19 15:50:35 EDT 2017


Summary of changes:
 .../controllers/arvados/v1/schema_controller.rb    | 11 +++++--
 services/api/app/middlewares/arvados_api_token.rb  | 12 ++++----
 .../api/app/models/api_client_authorization.rb     | 34 ++++++++++++++++++++++
 services/api/config/application.default.yml        | 13 +++++++++
 4 files changed, 62 insertions(+), 8 deletions(-)

       via  b5097189362f4cb1fb96d6993d570500a7e227ae (commit)
      from  0e659500b47d9bd4dc3e4c96167b3e55ac14082f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit b5097189362f4cb1fb96d6993d570500a7e227ae
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Thu Oct 19 14:10:45 2017 -0400

    11453: Authorize tokens issued by remote servers.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/controllers/arvados/v1/schema_controller.rb b/services/api/app/controllers/arvados/v1/schema_controller.rb
index d5ba487..25736d3 100644
--- a/services/api/app/controllers/arvados/v1/schema_controller.rb
+++ b/services/api/app/controllers/arvados/v1/schema_controller.rb
@@ -17,7 +17,13 @@ class Arvados::V1::SchemaController < ApplicationController
 
   def index
     expires_in 24.hours, public: true
-    discovery = Rails.cache.fetch 'arvados_v1_rest_discovery' do
+    send_json discovery_doc
+  end
+
+  protected
+
+  def discovery_doc
+    Rails.cache.fetch 'arvados_v1_rest_discovery' do
       Rails.application.eager_load!
       discovery = {
         kind: "discovery#restDescription",
@@ -49,6 +55,8 @@ class Arvados::V1::SchemaController < ApplicationController
         crunchLogThrottleLines: Rails.application.config.crunch_log_throttle_lines,
         crunchLimitLogBytesPerJob: Rails.application.config.crunch_limit_log_bytes_per_job,
         crunchLogPartialLineThrottlePeriod: Rails.application.config.crunch_log_partial_line_throttle_period,
+        remoteHosts: Rails.configuration.remote_hosts,
+        remoteHostsViaDNS: Rails.configuration.remote_hosts_via_dns,
         websocketUrl: Rails.application.config.websocket_address,
         parameters: {
           alt: {
@@ -379,6 +387,5 @@ class Arvados::V1::SchemaController < ApplicationController
       end
       discovery
     end
-    send_json discovery
   end
 end
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index dace944..be6bf04 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -28,18 +28,18 @@ class ArvadosApiToken
 
     auth = ApiClientAuthorization.
            validate(token: Thread.current[:supplied_token], remote: false)
-    if auth
-      auth.last_used_at = Time.now
-      auth.last_used_by_ip_address = remote_ip.to_s
-      auth.save validate: false
-    end
-
     Thread.current[:api_client_ip_address] = remote_ip
     Thread.current[:api_client_authorization] = auth
     Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
     Thread.current[:api_client] = auth.andand.api_client
     Thread.current[:user] = auth.andand.user
 
+    if auth
+      auth.last_used_at = Time.now
+      auth.last_used_by_ip_address = remote_ip.to_s
+      auth.save validate: false
+    end
+
     @app.call env if @app
   end
 end
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index eb9a8dc..e7903d4 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -6,6 +6,7 @@ class ApiClientAuthorization < ArvadosModel
   include HasUuid
   include KindAndEtag
   include CommonApiTemplate
+  extend CurrentApiClient
 
   belongs_to :api_client
   belongs_to :user
@@ -82,6 +83,12 @@ class ApiClientAuthorization < ArvadosModel
     ["#{table_name}.id desc"]
   end
 
+  def self.remote_host(uuid:)
+    Rails.configuration.remote_hosts[uuid[0..4]] ||
+      (Rails.configuration.remote_hosts_via_dns &&
+       uuid[0..4]+".arvadosapi.com")
+  end
+
   def self.validate(token:, remote:)
     return nil if !token
     remote ||= Rails.configuration.uuid_prefix
@@ -97,6 +104,33 @@ class ApiClientAuthorization < ArvadosModel
          (secret == auth.api_token ||
           secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
         return auth
+      elsif uuid[0..4] != Rails.configuration.uuid_prefix
+        # Token was issued by a different cluster. If it's expired or
+        # missing in our database, ask the originating cluster to
+        # [re]validate it.
+        arv = Arvados.new(api_host: remote_host(uuid: uuid),
+                          api_token: token)
+        remote_user = arv.user.current(remote_id: Rails.configuration.uuid_prefix)
+        if remote_user && remote_user[:uuid][0..4] == uuid[0..4]
+          act_as_system_user do
+            # Add/update user and token in our database so we can
+            # validate subsequent requests faster.
+            user = User.find_or_create_by(uuid: remote_user[:uuid])
+            user.update_attributes!(remote_user)
+            auth = ApiClientAuthorization.
+                   includes(:user).
+                   find_or_create_by(uuid: uuid,
+                                     api_token: token,
+                                     user: user,
+                                     api_client_id: 0)
+            # Accept this token (and don't reload the user record) for
+            # 5 minutes. TODO: Request the actual api_client_auth
+            # record from the remote server in case it wants the token
+            # to expire sooner.
+            auth.update_attributes!(expires_at: Time.now + 5.minutes)
+          end
+          return auth
+        end
       end
     else
       auth = ApiClientAuthorization.
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 2f32556..47b4bf1 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -383,6 +383,19 @@ common:
   reuse_job_if_outputs_differ: false
 
   ###
+  ### Federation support.
+  ###
+
+  # Map known prefixes to hosts. Example:
+  # remote_hosts:
+  #   zzzzz: zzzzz.example.com
+  remote_hosts: {}
+
+  # Use {prefix}.arvadosapi.com for any prefix not given in
+  # remote_hosts above.
+  remote_hosts_via_dns: true
+
+  ###
   ### Remaining assorted configuration options.
   ###
 

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list