[ARVADOS] updated: 2.1.0-2166-ge7b749c93

Git user git at public.arvados.org
Mon Mar 28 20:20:18 UTC 2022 

Summary of changes:
 doc/admin/upgrading.html.textile.liquid | 2 +-
 lib/config/load.go                      | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

       via  e7b749c937b70f388111d008eca4631787768a30 (commit)
      from  442ddf0be3bdc9c28d839aaa4476a67f8feea19b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit e7b749c937b70f388111d008eca4631787768a30
Author: Ward Vandewege <ward at curii.com>
Date:   Mon Mar 28 16:18:16 2022 -0400

    18887: undo the warning introduced in 18676 if a v2 anonymous token is
           supplied in the config file, using a v2 anonymous token is now
           fine. Also add a config loader check for the minimum secret
           length if a v2 token is acceptable.
    
    refs #18887, #18676
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 1ed3b694c..97f6ce2f8 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -46,7 +46,7 @@ The minimum supported Ruby version is now 2.6.  If you are running Arvados on De
 
 h3. Anonymous token changes
 
-The anonymous token configured in @Users.AnonymousUserToken@ must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary. If the anonymous token in @config.yml@ is specified as a full V2 token, that will now generate a warning - it should be updated to list just the secret (i.e. the part after the last forward slash).
+The anonymous token configured in @Users.AnonymousUserToken@ must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The @script/get_anonymous_user_token.rb@ script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary.
 
 h3. Preemptible instance support changes
 
diff --git a/lib/config/load.go b/lib/config/load.go
index de43b9d2e..5afb51c5a 100644
--- a/lib/config/load.go
+++ b/lib/config/load.go
@@ -369,10 +369,12 @@ func (ldr *Loader) checkToken(label, token string, mandatory bool, acceptV2 bool
 		if !strings.HasPrefix(token, "v2/") {
 			return fmt.Errorf("%s: unacceptable characters in token (only a-z, A-Z, 0-9 are acceptable)", label)
 		}
-		ldr.Logger.Warnf("%s: token is a full V2 token, should just be a secret (remove everything up to and including the last forward slash)", label)
 		if !acceptableTokenRe.MatchString(tmp[2]) {
 			return fmt.Errorf("%s: unacceptable characters in V2 token secret (only a-z, A-Z, 0-9 are acceptable)", label)
 		}
+		if len(tmp[2]) < acceptableTokenLength {
+			ldr.Logger.Warnf("%s: secret is too short (should be at least %d characters)", label, acceptableTokenLength)
+		}
 	} else if len(token) < acceptableTokenLength {
 		if ldr.Logger != nil {
 			ldr.Logger.Warnf("%s: token is too short (should be at least %d characters)", label, acceptableTokenLength)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list