[ARVADOS] updated: 2.1.0-295-gb36492a0a

Git user git at public.arvados.org
Thu Jan 21 22:00:42 UTC 2021 

Summary of changes:
 lib/controller/localdb/container_gateway.go | 28 +++++++++++++++-------------
 lib/crunchrun/container_gateway.go          | 11 +++++++----
 2 files changed, 22 insertions(+), 17 deletions(-)

       via  b36492a0a569b9116ccf156430c901f4002d8814 (commit)
       via  3c972761eada11023194a48b619d451d3f3c1854 (commit)
      from  4046a93e9f5b47771b10cd48c4357a452ed6dc6a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit b36492a0a569b9116ccf156430c901f4002d8814
Author: Tom Clegg <tom at curii.com>
Date:   Thu Jan 21 17:00:00 2021 -0500

    17170: Re-word comment, document ...-Login-Username header.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/crunchrun/container_gateway.go b/lib/crunchrun/container_gateway.go
index 3764a8a43..d234e9341 100644
--- a/lib/crunchrun/container_gateway.go
+++ b/lib/crunchrun/container_gateway.go
@@ -126,8 +126,9 @@ func (gw *Gateway) Start() error {
 	return nil
 }
 
-// handleSSH connects to an SSH server that runs commands as root in
-// the container. The tunnel itself can only be created by an
+// handleSSH connects to an SSH server that allows the caller to run
+// interactive commands as root (or any other desired user) inside the
+// container. The tunnel itself can only be created by an
 // authenticated caller, so the SSH server itself is wide open (any
 // password or key will be accepted).
 //
@@ -140,10 +141,12 @@ func (gw *Gateway) Start() error {
 // hmac(AuthSecret,certfingerprint) (this prevents other containers
 // and shell nodes from connecting directly)
 //
-// Optional header:
+// Optional headers:
 //
-// X-Arvados-Detach-Keys: argument to "docker attach --detach-keys",
+// X-Arvados-Detach-Keys: argument to "docker exec --detach-keys",
 // e.g., "ctrl-p,ctrl-q"
+// X-Arvados-Login-Username: argument to "docker exec --user": account
+// used to run command(s) inside the container.
 func (gw *Gateway) handleSSH(w http.ResponseWriter, req *http.Request) {
 	// In future we'll handle browser traffic too, but for now the
 	// only traffic we expect is an SSH tunnel from

commit 3c972761eada11023194a48b619d451d3f3c1854
Author: Tom Clegg <tom at curii.com>
Date:   Thu Jan 21 16:54:56 2021 -0500

    17170: Allow admin users to run commands in any container.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/container_gateway.go b/lib/controller/localdb/container_gateway.go
index 807995b3c..ca968cf20 100644
--- a/lib/controller/localdb/container_gateway.go
+++ b/lib/controller/localdb/container_gateway.go
@@ -38,21 +38,23 @@ func (conn *Conn) ContainerSSH(ctx context.Context, opts arvados.ContainerSSHOpt
 	if err != nil {
 		return
 	}
-
-	ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
-	crs, err := conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
-	if err != nil {
-		return
-	}
-	for _, cr := range crs.Items {
-		if cr.ModifiedByUserUUID != user.UUID {
-			err = httpserver.ErrorWithStatus(errors.New("permission denied: container is associated with requests submitted by other users"), http.StatusForbidden)
+	if !user.IsAdmin {
+		ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
+		var crs arvados.ContainerRequestList
+		crs, err = conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
+		if err != nil {
+			return
+		}
+		for _, cr := range crs.Items {
+			if cr.ModifiedByUserUUID != user.UUID {
+				err = httpserver.ErrorWithStatus(errors.New("permission denied: container is associated with requests submitted by other users"), http.StatusForbidden)
+				return
+			}
+		}
+		if crs.ItemsAvailable != len(crs.Items) {
+			err = httpserver.ErrorWithStatus(errors.New("incomplete response while checking permission"), http.StatusInternalServerError)
 			return
 		}
-	}
-	if crs.ItemsAvailable != len(crs.Items) {
-		err = httpserver.ErrorWithStatus(errors.New("incomplete response while checking permission"), http.StatusInternalServerError)
-		return
 	}
 
 	switch ctr.State {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list