Feature #14260
Updated by Tom Clegg over 6 years ago
When creating a container request, a client can specify an API token to be used in a container. When running a container on a cluster other than the requesting user's home cluster, this allows the container to read collections on other clusters.
runtime_token:
* if provided, must be a valid v2 API token
* is not provided in API responses (similar to secret_mounts)
* can be retrieved by the dispatcher that has the lock using the @/arvados/v1/containers/$uuid/auth@ API (as usual)
* can be set to a valid token when creating a container request
* is validated by the API server before creating the container request
* is used instead of a random secret in Container#assign_auth
* is ignored when considering containers for reuse
* is scrubbed when the container is final
The given token's user_uuid and scopes are stored in two additional new container fields, @runtime_user_uuid@ (string) and @runtime_auth_scopes@ (jsonb). These *are* considered significant in container reuse decisions.