projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
14406: Merge branch 'master'
[arvados.git] / services / api / app / models / container.rb
diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 527881ba6e7d07b27c8a0c2ee4b465a20e823a85..cd763a8e7e1eb0d851f08517b730ddf9f230a113 100644 (file)
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -286,7 +286,7 @@ class Container < ArvadosModel
     log_reuse_info(candidates) { "after filtering on runtime_user_uuid #{attrs[:runtime_user_uuid].inspect}" }
 
     candidates = candidates.where('runtime_auth_scopes = ? or (runtime_user_uuid is NULL and runtime_auth_scopes is NULL)',
-                                  SafeJSON.dump(attrs[:runtime_auth_scopes]))
+                                  SafeJSON.dump(attrs[:runtime_auth_scopes].sort))
     log_reuse_info(candidates) { "after filtering on runtime_auth_scopes #{attrs[:runtime_auth_scopes].inspect}" }
 
     log_reuse_info { "checking for state=Complete with readable output and log..." }
@@ -393,14 +393,15 @@ class Container < ArvadosModel
   end
 
   def self.for_current_token
+    return if !current_api_client_authorization
     _, _, _, container_uuid = Thread.current[:token].split('/')
     if container_uuid.nil?
-      Container.where(auth_uuid: current_api_client_authorization.uuid)
+      Container.where(auth_uuid: current_api_client_authorization.uuid).first
     else
       Container.where('auth_uuid=? or (uuid=? and runtime_token=?)',
                       current_api_client_authorization.uuid,
                       container_uuid,
-                      current_api_client_authorization.token)
+                      current_api_client_authorization.token).first
     end
   end
 
@@ -492,10 +493,14 @@ class Container < ArvadosModel
       return false
     end
 
-    if current_api_client_authorization.andand.uuid.andand == self.auth_uuid
-      # The contained process itself can update progress indicators,
-      # but can't change priority etc.
-      permitted = permitted & (progress_attrs + final_attrs + [:state] - [:log])
+    if self.state == Running &&
+       !current_api_client_authorization.nil? &&
+       (current_api_client_authorization.uuid == self.auth_uuid ||
+        current_api_client_authorization.token == self.runtime_token)
+      # The contained process itself can write final attrs but can't
+      # change priority or log.
+      permitted.push *final_attrs
+      permitted = permitted - [:log, :priority]
     elsif self.locked_by_uuid && self.locked_by_uuid != current_api_client_authorization.andand.uuid
       # When locked, progress fields cannot be updated by the wrong
       # dispatcher, even though it has admin privileges.
@@ -603,6 +608,9 @@ class Container < ArvadosModel
     if self.scheduling_parameters_changed?
       self.scheduling_parameters = self.class.deep_sort_hash(self.scheduling_parameters)
     end
+    if self.runtime_auth_scopes_changed?
+      self.runtime_auth_scopes = self.runtime_auth_scopes.sort
+    end
   end
 
   def update_secret_mounts_md5