Project

General

Profile

Actions

Feature #14262

closed

[Controller] Specify runtime_token when creating container requests on a remote cluster

Added by Tom Clegg about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
10/24/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
2.0
Release:
Release relationship:
Auto

Description

When a client asks its home cluster to create a CR on a remote cluster, the resulting container should have privileges -- but the remote cluster cannot create a runtime token by itself that is capable of reading collections from any other cluster. Instead, the home cluster, when proxying the request, should use the runtime_token field to supply a token for the container to use.

When proxying a "create container request" request to a remote cluster, the controller should:
  • Check whether the current token is a local token with scopes=["all"] (if not, skip the rest)
  • Check whether a runtime_token was already supplied by the caller (if so, skip the rest)
  • Create a new api_client_authorizations record, with an expiry time set to (now + blob_signature_ttl), and use that as runtime_token in the proxied request

Subtasks 1 (0 open1 closed)

Task #14300: Review 14262-remote-containerResolvedTom Clegg10/24/2018

Actions

Related issues 2 (1 open1 closed)

Related to Arvados - Feature #14260: [API] Add "runtime_token" field to container_requestsResolvedPeter Amstutz10/15/2018

Actions
Related to Arvados - Feature #14200: [API] Reduce privilege exposure via API tokens in multi-cluster workflowsNew

Actions
Actions

Also available in: Atom PDF