17755: Merge branch 'main' into 17755-add-singularity-to-compute-image

[arvados.git] / lib / controller / federation.go

diff --git a/lib/controller/federation.go b/lib/controller/federation.go
index aceaba8087ad2031413516c2671f75174c457fae..144d41c21beb62213195d537d32bca8fa9650f99 100644 (file)
--- a/lib/controller/federation.go
+++ b/lib/controller/federation.go
@@ -94,20 +94,12 @@ func (h *Handler) setupProxyRemoteCluster(next http.Handler) http.Handler {
 
        wfHandler := &genericFederatedRequestHandler{next, h, wfRe, nil}
        containersHandler := &genericFederatedRequestHandler{next, h, containersRe, nil}
-       containerRequestsHandler := &genericFederatedRequestHandler{next, h, containerRequestsRe,
-               []federatedRequestDelegate{remoteContainerRequestCreate}}
-       collectionsRequestsHandler := &genericFederatedRequestHandler{next, h, collectionsRe,
-               []federatedRequestDelegate{fetchRemoteCollectionByUUID, fetchRemoteCollectionByPDH}}
        linksRequestsHandler := &genericFederatedRequestHandler{next, h, linksRe, nil}
 
        mux.Handle("/arvados/v1/workflows", wfHandler)
        mux.Handle("/arvados/v1/workflows/", wfHandler)
        mux.Handle("/arvados/v1/containers", containersHandler)
        mux.Handle("/arvados/v1/containers/", containersHandler)
-       mux.Handle("/arvados/v1/container_requests", containerRequestsHandler)
-       mux.Handle("/arvados/v1/container_requests/", containerRequestsHandler)
-       mux.Handle("/arvados/v1/collections", collectionsRequestsHandler)
-       mux.Handle("/arvados/v1/collections/", collectionsRequestsHandler)
        mux.Handle("/arvados/v1/links", linksRequestsHandler)
        mux.Handle("/arvados/v1/links/", linksRequestsHandler)
        mux.Handle("/", next)
@@ -263,17 +255,20 @@ func (h *Handler) saltAuthToken(req *http.Request, remote string) (updatedReq *h
                return updatedReq, nil
        }
 
+       ctxlog.FromContext(req.Context()).Debugf("saltAuthToken: cluster %s token %s remote %s", h.Cluster.ClusterID, creds.Tokens[0], remote)
        token, err := auth.SaltToken(creds.Tokens[0], remote)
 
-       if err == auth.ErrObsoleteToken {
-               // If the token exists in our own database, salt it
-               // for the remote. Otherwise, assume it was issued by
-               // the remote, and pass it through unmodified.
+       if err == auth.ErrObsoleteToken || err == auth.ErrTokenFormat {
+               // If the token exists in our own database for our own
+               // user, salt it for the remote. Otherwise, assume it
+               // was issued by the remote, and pass it through
+               // unmodified.
                currentUser, ok, err := h.validateAPItoken(req, creds.Tokens[0])
                if err != nil {
                        return nil, err
-               } else if !ok {
-                       // Not ours; pass through unmodified.
+               } else if !ok || strings.HasPrefix(currentUser.UUID, remote) {
+                       // Unknown, or cached + belongs to remote;
+                       // pass through unmodified.
                        token = creds.Tokens[0]
                } else {
                        // Found; make V2 version and salt it.