X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/36b4a526be01a76eeb2ef2db645598f45f1de992..6d1c41d6fd83824669cd1a6d714ea6da1ae7ab4c:/lib/controller/federation/conn.go diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go index 7efbda8d12..b4b7476440 100644 --- a/lib/controller/federation/conn.go +++ b/lib/controller/federation/conn.go @@ -23,31 +23,37 @@ import ( "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/ctxlog" "git.arvados.org/arvados.git/sdk/go/health" + "github.com/jmoiron/sqlx" ) type Conn struct { + bgCtx context.Context cluster *arvados.Cluster local backend remotes map[string]backend } -func New(cluster *arvados.Cluster, vocHealthFunc *health.Func) *Conn { - local := localdb.NewConn(cluster) +func New(bgCtx context.Context, cluster *arvados.Cluster, healthFuncs *map[string]health.Func, getdb func(context.Context) (*sqlx.DB, error)) *Conn { + local := localdb.NewConn(bgCtx, cluster, getdb) remotes := map[string]backend{} for id, remote := range cluster.RemoteClusters { if !remote.Proxy || id == cluster.ClusterID { continue } - conn := rpc.NewConn(id, &url.URL{Scheme: remote.Scheme, Host: remote.Host}, remote.Insecure, saltedTokenProvider(local, id)) + conn := rpc.NewConn(id, &url.URL{Scheme: remote.Scheme, Host: remote.Host}, remote.Insecure, saltedTokenProvider(cluster, local, id)) // Older versions of controller rely on the Via header // to detect loops. conn.SendHeader = http.Header{"Via": {"HTTP/1.1 arvados-controller"}} remotes[id] = conn } - *vocHealthFunc = local.LastVocabularyError + if healthFuncs != nil { + hf := map[string]health.Func{"vocabulary": local.LastVocabularyError} + *healthFuncs = hf + } return &Conn{ + bgCtx: bgCtx, cluster: cluster, local: local, remotes: remotes, @@ -58,7 +64,7 @@ func New(cluster *arvados.Cluster, vocHealthFunc *health.Func) *Conn { // tokens from an incoming request context, determines whether they // should (and can) be salted for the given remoteID, and returns the // resulting tokens. -func saltedTokenProvider(local backend, remoteID string) rpc.TokenProvider { +func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID string) rpc.TokenProvider { return func(ctx context.Context) ([]string, error) { var tokens []string incoming, ok := auth.FromContext(ctx) @@ -66,6 +72,19 @@ func saltedTokenProvider(local backend, remoteID string) rpc.TokenProvider { return nil, errors.New("no token provided") } for _, token := range incoming.Tokens { + if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && + !strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") && + remoteID == cluster.Login.LoginCluster { + // If we did this, the login cluster would call back to us and then + // reject our response because the user UUID prefix (i.e., the + // LoginCluster prefix) won't match the token UUID prefix (i.e., our + // prefix). The anonymous token is OK to forward, because (unlike other + // local tokens for real users) the validation callback will return the + // locally issued anonymous user ID instead of a login-cluster user ID. + // That anonymous user ID gets mapped to the local anonymous user + // automatically on the login cluster. + return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID) + } salted, err := auth.SaltToken(token, remoteID) switch err { case nil: @@ -159,20 +178,29 @@ func (conn *Conn) tryLocalThenRemotes(ctx context.Context, forwardedFor string, errchan <- fn(ctx, remoteID, be) }() } - all404 := true + returncode := http.StatusNotFound var errs []error for i := 0; i < cap(errchan); i++ { err := <-errchan if err == nil { return nil } - all404 = all404 && errStatus(err) == http.StatusNotFound errs = append(errs, err) + if code := errStatus(err); code >= 500 || code == http.StatusTooManyRequests { + // If any of the remotes have a retryable + // error (and none succeed) we'll return 502. + returncode = http.StatusBadGateway + } else if code != http.StatusNotFound && returncode != http.StatusBadGateway { + // If some of the remotes have non-retryable + // non-404 errors (and none succeed or have + // retryable errors) we'll return 422. + returncode = http.StatusUnprocessableEntity + } } - if all404 { + if returncode == http.StatusNotFound { return notFoundError{} } - return httpErrorf(http.StatusBadGateway, "errors: %v", errs) + return httpErrorf(returncode, "errors: %v", errs) } func (conn *Conn) CollectionCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Collection, error) { @@ -251,6 +279,26 @@ func (conn *Conn) Logout(ctx context.Context, options arvados.LogoutOptions) (ar return arvados.LogoutResponse{RedirectLocation: target.String()}, nil } +func (conn *Conn) AuthorizedKeyCreate(ctx context.Context, options arvados.CreateOptions) (arvados.AuthorizedKey, error) { + return conn.chooseBackend(options.ClusterID).AuthorizedKeyCreate(ctx, options) +} + +func (conn *Conn) AuthorizedKeyUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.AuthorizedKey, error) { + return conn.chooseBackend(options.UUID).AuthorizedKeyUpdate(ctx, options) +} + +func (conn *Conn) AuthorizedKeyGet(ctx context.Context, options arvados.GetOptions) (arvados.AuthorizedKey, error) { + return conn.chooseBackend(options.UUID).AuthorizedKeyGet(ctx, options) +} + +func (conn *Conn) AuthorizedKeyList(ctx context.Context, options arvados.ListOptions) (arvados.AuthorizedKeyList, error) { + return conn.generated_AuthorizedKeyList(ctx, options) +} + +func (conn *Conn) AuthorizedKeyDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.AuthorizedKey, error) { + return conn.chooseBackend(options.UUID).AuthorizedKeyDelete(ctx, options) +} + func (conn *Conn) CollectionGet(ctx context.Context, options arvados.GetOptions) (arvados.Collection, error) { if len(options.UUID) == 27 { // UUID is really a UUID @@ -260,6 +308,9 @@ func (conn *Conn) CollectionGet(ctx context.Context, options arvados.GetOptions) } return c, err } + if len(options.UUID) < 34 || options.UUID[32] != '+' { + return arvados.Collection{}, httpErrorf(http.StatusNotFound, "invalid UUID or PDH %q", options.UUID) + } // UUID is a PDH first := make(chan arvados.Collection, 1) err := conn.tryLocalThenRemotes(ctx, options.ForwardedFor, func(ctx context.Context, remoteID string, be backend) error { @@ -343,6 +394,10 @@ func (conn *Conn) ContainerUpdate(ctx context.Context, options arvados.UpdateOpt return conn.chooseBackend(options.UUID).ContainerUpdate(ctx, options) } +func (conn *Conn) ContainerPriorityUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.Container, error) { + return conn.chooseBackend(options.UUID).ContainerPriorityUpdate(ctx, options) +} + func (conn *Conn) ContainerGet(ctx context.Context, options arvados.GetOptions) (arvados.Container, error) { return conn.chooseBackend(options.UUID).ContainerGet(ctx, options) } @@ -359,10 +414,14 @@ func (conn *Conn) ContainerUnlock(ctx context.Context, options arvados.GetOption return conn.chooseBackend(options.UUID).ContainerUnlock(ctx, options) } -func (conn *Conn) ContainerSSH(ctx context.Context, options arvados.ContainerSSHOptions) (arvados.ContainerSSHConnection, error) { +func (conn *Conn) ContainerSSH(ctx context.Context, options arvados.ContainerSSHOptions) (arvados.ConnectionResponse, error) { return conn.chooseBackend(options.UUID).ContainerSSH(ctx, options) } +func (conn *Conn) ContainerGatewayTunnel(ctx context.Context, options arvados.ContainerGatewayTunnelOptions) (arvados.ConnectionResponse, error) { + return conn.chooseBackend(options.UUID).ContainerGatewayTunnel(ctx, options) +} + func (conn *Conn) ContainerRequestList(ctx context.Context, options arvados.ListOptions) (arvados.ContainerRequestList, error) { return conn.generated_ContainerRequestList(ctx, options) } @@ -425,6 +484,10 @@ func (conn *Conn) ContainerRequestDelete(ctx context.Context, options arvados.De return conn.chooseBackend(options.UUID).ContainerRequestDelete(ctx, options) } +func (conn *Conn) ContainerRequestLog(ctx context.Context, options arvados.ContainerLogOptions) (http.Handler, error) { + return conn.chooseBackend(options.UUID).ContainerRequestLog(ctx, options) +} + func (conn *Conn) GroupCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Group, error) { return conn.chooseBackend(options.ClusterID).GroupCreate(ctx, options) } @@ -492,6 +555,26 @@ func (conn *Conn) LinkDelete(ctx context.Context, options arvados.DeleteOptions) return conn.chooseBackend(options.UUID).LinkDelete(ctx, options) } +func (conn *Conn) LogCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Log, error) { + return conn.chooseBackend(options.ClusterID).LogCreate(ctx, options) +} + +func (conn *Conn) LogUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.Log, error) { + return conn.chooseBackend(options.UUID).LogUpdate(ctx, options) +} + +func (conn *Conn) LogGet(ctx context.Context, options arvados.GetOptions) (arvados.Log, error) { + return conn.chooseBackend(options.UUID).LogGet(ctx, options) +} + +func (conn *Conn) LogList(ctx context.Context, options arvados.ListOptions) (arvados.LogList, error) { + return conn.generated_LogList(ctx, options) +} + +func (conn *Conn) LogDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.Log, error) { + return conn.chooseBackend(options.UUID).LogDelete(ctx, options) +} + func (conn *Conn) SpecimenList(ctx context.Context, options arvados.ListOptions) (arvados.SpecimenList, error) { return conn.generated_SpecimenList(ctx, options) } @@ -512,6 +595,10 @@ func (conn *Conn) SpecimenDelete(ctx context.Context, options arvados.DeleteOpti return conn.chooseBackend(options.UUID).SpecimenDelete(ctx, options) } +func (conn *Conn) SysTrashSweep(ctx context.Context, options struct{}) (struct{}, error) { + return conn.local.SysTrashSweep(ctx, options) +} + var userAttrsCachedFromLoginCluster = map[string]bool{ "created_at": true, "email": true, @@ -533,6 +620,8 @@ var userAttrsCachedFromLoginCluster = map[string]bool{ "owner_uuid": false, "uuid": false, "writable_by": false, + "can_write": false, + "can_manage": false, } func (conn *Conn) batchUpdateUsers(ctx context.Context, @@ -712,6 +801,39 @@ func (conn *Conn) APIClientAuthorizationCurrent(ctx context.Context, options arv return conn.chooseBackend(options.UUID).APIClientAuthorizationCurrent(ctx, options) } +func (conn *Conn) APIClientAuthorizationCreate(ctx context.Context, options arvados.CreateOptions) (arvados.APIClientAuthorization, error) { + if conn.cluster.Login.LoginCluster != "" { + return conn.chooseBackend(conn.cluster.Login.LoginCluster).APIClientAuthorizationCreate(ctx, options) + } + ownerUUID, ok := options.Attrs["owner_uuid"].(string) + if ok && ownerUUID != "" { + return conn.chooseBackend(ownerUUID).APIClientAuthorizationCreate(ctx, options) + } + return conn.local.APIClientAuthorizationCreate(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.APIClientAuthorization, error) { + if options.BypassFederation { + return conn.local.APIClientAuthorizationUpdate(ctx, options) + } + return conn.chooseBackend(options.UUID).APIClientAuthorizationUpdate(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.APIClientAuthorization, error) { + return conn.chooseBackend(options.UUID).APIClientAuthorizationDelete(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationList(ctx context.Context, options arvados.ListOptions) (arvados.APIClientAuthorizationList, error) { + if id := conn.cluster.Login.LoginCluster; id != "" && id != conn.cluster.ClusterID && !options.BypassFederation { + return conn.chooseBackend(conn.cluster.Login.LoginCluster).APIClientAuthorizationList(ctx, options) + } + return conn.generated_APIClientAuthorizationList(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationGet(ctx context.Context, options arvados.GetOptions) (arvados.APIClientAuthorization, error) { + return conn.chooseBackend(options.UUID).APIClientAuthorizationGet(ctx, options) +} + type backend interface { arvados.API BaseURL() url.URL