[ARVADOS] updated: 1.2.0-297-gb5b9be4f0
Git user
git at public.curoverse.com
Wed Oct 31 16:46:49 EDT 2018
Summary of changes:
lib/controller/fed_containers.go | 13 +++++---
services/api/app/models/container.rb | 12 +++++---
services/api/test/unit/container_test.rb | 52 +++++++++++++++++++++-----------
3 files changed, 50 insertions(+), 27 deletions(-)
via b5b9be4f0de954052c91ab8dbfbfe0c101f004c4 (commit)
via 365ee0f6bb330046ef276cf8f937bc4c1ae7d69f (commit)
from 7f223f48c24dfa8c3d8247f8e48656a5edca7ea5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit b5b9be4f0de954052c91ab8dbfbfe0c101f004c4
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Wed Oct 31 16:40:19 2018 -0400
14262: Fix permissions so runtime_token can set container progress/output
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 0d8453174..cd763a8e7 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -493,10 +493,14 @@ class Container < ArvadosModel
return false
end
- if current_api_client_authorization.andand.uuid.andand == self.auth_uuid
- # The contained process itself can update progress indicators,
- # but can't change priority etc.
- permitted = permitted & (progress_attrs + final_attrs + [:state] - [:log])
+ if self.state == Running &&
+ !current_api_client_authorization.nil? &&
+ (current_api_client_authorization.uuid == self.auth_uuid ||
+ current_api_client_authorization.token == self.runtime_token)
+ # The contained process itself can write final attrs but can't
+ # change priority or log.
+ permitted.push *final_attrs
+ permitted = permitted - [:log, :priority]
elsif self.locked_by_uuid && self.locked_by_uuid != current_api_client_authorization.andand.uuid
# When locked, progress fields cannot be updated by the wrong
# dispatcher, even though it has admin privileges.
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 491022ad8..90b4f13bf 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -777,25 +777,41 @@ class ContainerTest < ActiveSupport::TestCase
assert_equal [logpdh_time2], Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq
end
- test "auth_uuid can set output, progress, runtime_status, state on running container -- but not log" do
- set_user_from_auth :active
- c, _ = minimal_new
- set_user_from_auth :dispatch1
- c.lock
- c.update_attributes! state: Container::Running
-
- auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
- Thread.current[:api_client_authorization] = auth
- Thread.current[:api_client] = auth.api_client
- Thread.current[:token] = auth.token
- Thread.current[:user] = auth.user
+ ["auth_uuid", "runtime_token"].each do |tok|
+ test "#{tok} can set output, progress, runtime_status, state on running container -- but not log" do
+ if tok == "runtime_token"
+ set_user_from_auth :spectator
+ c, _ = minimal_new(container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
+ runtime_token: api_client_authorizations(:active).token)
+ else
+ set_user_from_auth :active
+ c, _ = minimal_new
+ end
+ set_user_from_auth :dispatch1
+ c.lock
+ c.update_attributes! state: Container::Running
+
+ if tok == "runtime_token"
+ auth = ApiClientAuthorization.validate(token: c.runtime_token)
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client] = auth.api_client
+ Thread.current[:token] = auth.token
+ Thread.current[:user] = auth.user
+ else
+ auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client] = auth.api_client
+ Thread.current[:token] = auth.token
+ Thread.current[:user] = auth.user
+ end
- assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
- assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
- assert c.update_attributes(progress: 0.5)
- refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
- c.reload
- assert c.update_attributes(state: Container::Complete, exit_code: 0)
+ assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
+ assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
+ assert c.update_attributes(progress: 0.5)
+ refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
+ c.reload
+ assert c.update_attributes(state: Container::Complete, exit_code: 0)
+ end
end
test "not allowed to set output that is not readable by current user" do
commit 365ee0f6bb330046ef276cf8f937bc4c1ae7d69f
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Wed Oct 31 13:45:58 2018 -0400
14262: Only create runtime_token on home cluster for the authorization
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/lib/controller/fed_containers.go b/lib/controller/fed_containers.go
index a3c292583..fc627d3fa 100644
--- a/lib/controller/fed_containers.go
+++ b/lib/controller/fed_containers.go
@@ -81,12 +81,15 @@ func remoteContainerRequestCreate(
return true
}
- newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
- if err != nil {
- httpserver.Error(w, err.Error(), http.StatusForbidden)
- return true
+ // Must be home cluster for this authorization
+ if currentUser.Authorization.UUID[0:5] == h.handler.Cluster.ClusterID {
+ newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
+ if err != nil {
+ httpserver.Error(w, err.Error(), http.StatusForbidden)
+ return true
+ }
+ containerRequest["runtime_token"] = newtok.TokenV2()
}
- containerRequest["runtime_token"] = newtok.TokenV2()
}
newbody, err := json.Marshal(request)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list