[ARVADOS] created: 1.2.0-150-g52cd03cd6
Git user
git at public.curoverse.com
Fri Oct 5 16:40:51 EDT 2018
at 52cd03cd6e2adccadbf4c382e104545038d930f9 (commit)
commit 52cd03cd6e2adccadbf4c382e104545038d930f9
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Fri Oct 5 16:40:33 2018 -0400
14260: Container runtime token wip
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/controllers/arvados/v1/containers_controller.rb b/services/api/app/controllers/arvados/v1/containers_controller.rb
index 65d8385ad..e1a8a019a 100644
--- a/services/api/app/controllers/arvados/v1/containers_controller.rb
+++ b/services/api/app/controllers/arvados/v1/containers_controller.rb
@@ -17,7 +17,15 @@ class Arvados::V1::ContainersController < ApplicationController
if @object.locked_by_uuid != Thread.current[:api_client_authorization].uuid
raise ArvadosModel::PermissionDeniedError.new("Not locked by your token")
end
- @object = @object.auth
+ if @object.auth.nil?
+ cr = ContainerRequest.
+ where('container_uuid=? and priority>0', self.uuid).
+ order('priority desc').
+ first
+ @object = ApiClientAuthorization.validate(token: cr.runtime_token)
+ else
+ @object = @object.auth
+ end
show
end
diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 079ac4c29..075510e35 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -529,9 +529,21 @@ class Container < ArvadosModel
if !cr
return errors.add :auth_uuid, "cannot be assigned because priority <= 0"
end
- self.auth = ApiClientAuthorization.
- create!(user_id: User.find_by_uuid(cr.modified_by_user_uuid).id,
- api_client_id: 0)
+ if cr.runtime_token.nil?
+ self.auth = ApiClientAuthorization.
+ create!(user_id: User.find_by_uuid(cr.modified_by_user_uuid).id,
+ api_client_id: 0)
+ self.runtime_user_uuid = cr.modified_by_user_uuid
+ self.runtime_auth_scopes = self.auth.scopes
+ else
+ # using cr.runtime_token
+ runtime_auth = ApiClientAuthorization.validate(token: cr.runtime_token)
+ if runtime_auth.nil?
+ raise ArgumentError.new "Invalid runtime token"
+ end
+ self.runtime_user_uuid = User.find_by_id(runtime_auth.user_id).uuid
+ self.runtime_auth_scopes = runtime_auth.scopes
+ end
end
def sort_serialized_attrs
diff --git a/services/api/app/models/container_request.rb b/services/api/app/models/container_request.rb
index bbec42108..ede1dca7b 100644
--- a/services/api/app/models/container_request.rb
+++ b/services/api/app/models/container_request.rb
@@ -38,7 +38,8 @@ class ContainerRequest < ArvadosModel
validate :validate_state_change
validate :check_update_whitelist
validate :secret_mounts_key_conflict
- before_save :scrub_secret_mounts
+ validate :validate_runtime_token
+ before_save :scrub_secrets
before_create :set_requesting_container_uuid
before_destroy :set_priority_zero
after_save :update_priority
@@ -88,7 +89,7 @@ class ContainerRequest < ArvadosModel
AttrsPermittedAlways = [:owner_uuid, :state, :name, :description, :properties]
AttrsPermittedBeforeCommit = [:command, :container_count_max,
:container_image, :cwd, :environment, :filters, :mounts,
- :output_path, :priority,
+ :output_path, :priority, :runtime_token,
:runtime_constraints, :state, :container_uuid, :use_existing,
:scheduling_parameters, :secret_mounts, :output_name, :output_ttl]
@@ -97,7 +98,7 @@ class ContainerRequest < ArvadosModel
end
def logged_attributes
- super.except('secret_mounts')
+ super.except('secret_mounts', 'runtime_token')
end
def state_transitions
@@ -165,7 +166,7 @@ class ContainerRequest < ArvadosModel
end
def self.full_text_searchable_columns
- super - ["mounts", "secret_mounts", "secret_mounts_md5"]
+ super - ["mounts", "secret_mounts", "secret_mounts_md5", "runtime_token"]
end
protected
@@ -343,9 +344,22 @@ class ContainerRequest < ArvadosModel
end
end
- def scrub_secret_mounts
+ def validate_runtime_token
+ if !self.runtime_token.nil?
+ if !runtime_token[0..2] == "v2/"
+ errors.add :runtime_token, "not a v2 token"
+ return
+ end
+ if ApiClientAuthorization.validate(token: cr.runtime_token).nil?
+ errors.add :runtime_token, "failed validation"
+ end
+ end
+ end
+
+ def scrub_secrets
if self.state == Final
self.secret_mounts = {}
+ self.runtime_token = nil
end
end
diff --git a/services/api/db/migrate/20181005192222_add_container_runtime_token.rb b/services/api/db/migrate/20181005192222_add_container_runtime_token.rb
index 007cbd00e..07151cd88 100644
--- a/services/api/db/migrate/20181005192222_add_container_runtime_token.rb
+++ b/services/api/db/migrate/20181005192222_add_container_runtime_token.rb
@@ -1,7 +1,7 @@
class AddContainerRuntimeToken < ActiveRecord::Migration
def change
add_column :container_requests, :runtime_token, :text, :null => true
- add_column :containers, :runtime_user_uuid, :text
- add_column :containers, :runtime_auth_scopes, :jsonb
+ add_column :containers, :runtime_user_uuid, :text, :null => true
+ add_column :containers, :runtime_auth_scopes, :jsonb, :null => true
end
end
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index c38c230b2..c812348a2 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -251,4 +251,23 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
assert_equal 'barney', json_response['username']
end
+ test "validate unsalted token for remote cluster zbbbb" do
+ auth = api_client_authorizations(:active)
+ token = "v2/#{auth.uuid}/#{auth.api_token}"
+ get '/arvados/v1/users/current', {format: 'json', remote: 'zbbbb'}, {
+ "HTTP_AUTHORIZATION" => "Bearer #{token}"
+ }
+ assert_response 200
+ assert_equal(users(:active).uuid, json_response['uuid'])
+ end
+
+
+ # test 'container request with remote runtime_token' do
+ # auth = api_client_authorizations(:active)
+ # token = "v2/#{auth.uuid.sub('zzzzz-', 'zbbbb-')}/#{auth.api_token}"
+
+ # post '/arvados/v1/container_requests', {"container_request": {}}, {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
+ # assert_response :success
+ # end
+
end
commit 9e6bd16602ddae9b15066073b06527633ff63ff1
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Fri Oct 5 15:31:08 2018 -0400
14260: Migration adding runtime_token, runtime_user_uuid, runtime_auth_scopes
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/db/migrate/20181005192222_add_container_runtime_token.rb b/services/api/db/migrate/20181005192222_add_container_runtime_token.rb
new file mode 100644
index 000000000..007cbd00e
--- /dev/null
+++ b/services/api/db/migrate/20181005192222_add_container_runtime_token.rb
@@ -0,0 +1,7 @@
+class AddContainerRuntimeToken < ActiveRecord::Migration
+ def change
+ add_column :container_requests, :runtime_token, :text, :null => true
+ add_column :containers, :runtime_user_uuid, :text
+ add_column :containers, :runtime_auth_scopes, :jsonb
+ end
+end
diff --git a/services/api/db/structure.sql b/services/api/db/structure.sql
index f8d9b3f35..d1eb8d8d0 100644
--- a/services/api/db/structure.sql
+++ b/services/api/db/structure.sql
@@ -299,7 +299,8 @@ CREATE TABLE public.container_requests (
log_uuid character varying(255),
output_name character varying(255) DEFAULT NULL::character varying,
output_ttl integer DEFAULT 0 NOT NULL,
- secret_mounts jsonb DEFAULT '{}'::jsonb
+ secret_mounts jsonb DEFAULT '{}'::jsonb,
+ runtime_token text
);
@@ -355,7 +356,9 @@ CREATE TABLE public.containers (
scheduling_parameters text,
secret_mounts jsonb DEFAULT '{}'::jsonb,
secret_mounts_md5 character varying DEFAULT '99914b932bd37a50b983c5e7c90ae93b'::character varying,
- runtime_status jsonb DEFAULT '{}'::jsonb
+ runtime_status jsonb DEFAULT '{}'::jsonb,
+ runtime_user_uuid text,
+ runtime_auth_scopes jsonb
);
@@ -3171,3 +3174,5 @@ INSERT INTO schema_migrations (version) VALUES ('20180904110712');
INSERT INTO schema_migrations (version) VALUES ('20180917205609');
+INSERT INTO schema_migrations (version) VALUES ('20181005192222');
+
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list