Project

General

Custom queries

Profile

Actions

Feature #14262

closed

[Controller] Specify runtime_token when creating container requests on a remote cluster

Added by Tom Clegg over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
10/24/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
2.0
Release:
Release relationship:
Auto

Description

When a client asks its home cluster to create a CR on a remote cluster, the resulting container should have privileges -- but the remote cluster cannot create a runtime token by itself that is capable of reading collections from any other cluster. Instead, the home cluster, when proxying the request, should use the runtime_token field to supply a token for the container to use.

When proxying a "create container request" request to a remote cluster, the controller should:
  • Check whether the current token is a local token with scopes=["all"] (if not, skip the rest)
  • Check whether a runtime_token was already supplied by the caller (if so, skip the rest)
  • Create a new api_client_authorizations record, with an expiry time set to (now + blob_signature_ttl), and use that as runtime_token in the proxied request

Subtasks 1 (0 open1 closed)

Task #14300: Review 14262-remote-containerResolvedTom Clegg10/24/2018

Actions

Related issues 2 (1 open1 closed)

Related to Arvados - Feature #14260: [API] Add "runtime_token" field to container_requestsResolvedPeter Amstutz10/15/2018

Actions
Related to Arvados - Feature #14200: [API] Reduce privilege exposure via API tokens in multi-cluster workflowsNew

Actions
#1

Updated by Tom Clegg over 6 years ago

  • Related to Feature #14260: [API] Add "runtime_token" field to container_requests added
#2

Updated by Tom Clegg over 6 years ago

  • Story points set to 2.0
#3

Updated by Peter Amstutz over 6 years ago

  • Related to Feature #14200: [API] Reduce privilege exposure via API tokens in multi-cluster workflows added
#4

Updated by Peter Amstutz about 6 years ago

  • Assigned To set to Peter Amstutz
  • Target version set to 2018-10-17 sprint
#5

Updated by Peter Amstutz about 6 years ago

  • Target version changed from 2018-10-17 sprint to Arvados Future Sprints
#7

Updated by Peter Amstutz about 6 years ago

  • Target version changed from Arvados Future Sprints to 2018-10-17 sprint
#8

Updated by Peter Amstutz about 6 years ago

  • Status changed from New to In Progress
  • Target version changed from 2018-10-17 sprint to 2018-10-31 sprint
#15

Updated by Peter Amstutz about 6 years ago

  • Target version changed from 2018-10-31 sprint to 2018-11-14 Sprint
#22

Updated by Peter Amstutz about 6 years ago

  • Status changed from In Progress to Resolved
#23

Updated by Tom Morris about 6 years ago

  • Release set to 14
Actions

Also available in: Atom PDF