projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
18887: address review comments.
[arvados.git] / lib / controller / federation / conn.go
diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 2eabf44647662f8aed07230110ee33f98f156b9d..1b8ec9e64a6e01138a1bfc58a599a78eb2f0e44b 100644 (file)
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -75,9 +75,11 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin
                                // If we did this, the login cluster would call back to us and then
                                // reject our response because the user UUID prefix (i.e., the
                                // LoginCluster prefix) won't match the token UUID prefix (i.e., our
-                               // prefix). The anonymous token is OK to forward, because it gets
-                               // mapped to the local anonymous token automatically on the login
-                               // cluster.
+                               // prefix). The anonymous token is OK to forward, because (unlike other
+                               // local tokens for real users) the validation callback will return the
+                               // locally issued anonymous user ID instead of a login-cluster user ID.
+                               // That anonymous user ID gets mapped to the local anonymous user
+                               // automatically on the login cluster.
                                return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
                        }
                        salted, err := auth.SaltToken(token, remoteID)