[ARVADOS] created: 1.1.2-60-g7ec6b57

Git user git at public.curoverse.com
Mon Jan 15 17:30:42 EST 2018 

        at  7ec6b571c54af1ddd404488b2922c41dfdffdde1 (commit)


commit 7ec6b571c54af1ddd404488b2922c41dfdffdde1
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Jan 15 17:07:25 2018 -0500

    12705: Note 5 minute cache effect during user migration.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/doc/admin/merge-remote-account.html.textile.liquid b/doc/admin/merge-remote-account.html.textile.liquid
index 005332b..1ce35e9 100644
--- a/doc/admin/merge-remote-account.html.textile.liquid
+++ b/doc/admin/merge-remote-account.html.textile.liquid
@@ -43,3 +43,5 @@ arvados.api('v1').users().update_uuid(
     uuid="<span class="userinput">aaaaa-tpzed-abcdefghijklmno</span>",
     new_uuid="bbbbb-tpzed-"+random_chars).execute()
 </code></pre></notextile>
+
+After this is done and the migration is complete, the affected user should wait 5 minutes for the authorization cache to expire before using the remote cluster.

commit 87b24df10b354794904d6c3dea6258dd0f45adc3
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Jan 15 16:55:56 2018 -0500

    12705: Update authorized user when refreshing token cache.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 3af206c..b158faa 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -185,7 +185,10 @@ class ApiClientAuthorization < ArvadosModel
         # 5 minutes. TODO: Request the actual api_client_auth
         # record from the remote server in case it wants the token
         # to expire sooner.
-        auth.update_attributes!(expires_at: Time.now + 5.minutes)
+        auth.update_attributes!(user: user,
+                                api_token: secret,
+                                api_client_id: 0,
+                                expires_at: Time.now + 5.minutes)
       end
       return auth
     else
@@ -207,10 +210,8 @@ class ApiClientAuthorization < ArvadosModel
   end
 
   def permission_to_update
-    (permission_to_create and
-     not uuid_changed? and
-     not user_id_changed? and
-     not owner_uuid_changed?)
+    permission_to_create && !uuid_changed? &&
+      (current_user.andand.is_admin || !user_id_changed?)
   end
 
   def log_update
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 591bbaf..6d7f4a0 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -104,6 +104,13 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
     assert_response 401
 
+    # simulate cached token indicating wrong user (e.g., local user
+    # entry was migrated out of the way taking the cached token with
+    # it, or authorizing cluster reassigned auth to a different user)
+    ApiClientAuthorization.where(
+      uuid: salted_active_token(remote: 'zbbbb').split('/')[1]).
+      update_all(user_id: users(:active).id)
+
     # revive original token and re-authorize
     @stub_status = 200
     @stub_content[:username] = 'blarney'

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list