[ARVADOS] updated: 2.1.0-2165-g442ddf0be

[Git user]

Summary of changes:
 lib/controller/federation/conn.go | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

       via  442ddf0be3bdc9c28d839aaa4476a67f8feea19b (commit)
      from  e05c465b519928314fd7e8d0f1856b082fa16787 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 442ddf0be3bdc9c28d839aaa4476a67f8feea19b
Author: Ward Vandewege <ward at curii.com>
Date:   Fri Mar 25 09:11:53 2022 -0400

    18887: it is OK for controller to forward the local anymous token,
           because all anonymous tokens get mapped to the local anonymous
           token on every cluster.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index d3819f626..2eabf4464 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -69,14 +69,15 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin
 			return nil, errors.New("no token provided")
 		}
 		for _, token := range incoming.Tokens {
-			if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && remoteID == cluster.Login.LoginCluster {
-				// If we did this, the login cluster
-				// would call back to us and then
-				// reject our response because the
-				// user UUID prefix (i.e., the
-				// LoginCluster prefix) won't match
-				// the token UUID prefix (i.e., our
-				// prefix).
+			if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") &&
+				!strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") &&
+				remoteID == cluster.Login.LoginCluster {
+				// If we did this, the login cluster would call back to us and then
+				// reject our response because the user UUID prefix (i.e., the
+				// LoginCluster prefix) won't match the token UUID prefix (i.e., our
+				// prefix). The anonymous token is OK to forward, because it gets
+				// mapped to the local anonymous token automatically on the login
+				// cluster.
 				return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
 			}
 			salted, err := auth.SaltToken(token, remoteID)

-----------------------------------------------------------------------


hooks/post-receive
--