X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a78762353971ea3707bcf92960a12557d66fb9af..0fc359fb99b0c3fe661e091d103edaa76eefa633:/lib/controller/federation/conn.go diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go index d1bf473d76..2eabf44647 100644 --- a/lib/controller/federation/conn.go +++ b/lib/controller/federation/conn.go @@ -69,14 +69,15 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin return nil, errors.New("no token provided") } for _, token := range incoming.Tokens { - if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && remoteID == cluster.Login.LoginCluster { - // If we did this, the login cluster - // would call back to us and then - // reject our response because the - // user UUID prefix (i.e., the - // LoginCluster prefix) won't match - // the token UUID prefix (i.e., our - // prefix). + if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && + !strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") && + remoteID == cluster.Login.LoginCluster { + // If we did this, the login cluster would call back to us and then + // reject our response because the user UUID prefix (i.e., the + // LoginCluster prefix) won't match the token UUID prefix (i.e., our + // prefix). The anonymous token is OK to forward, because it gets + // mapped to the local anonymous token automatically on the login + // cluster. return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID) } salted, err := auth.SaltToken(token, remoteID) @@ -525,6 +526,10 @@ func (conn *Conn) SpecimenDelete(ctx context.Context, options arvados.DeleteOpti return conn.chooseBackend(options.UUID).SpecimenDelete(ctx, options) } +func (conn *Conn) SysTrashSweep(ctx context.Context, options struct{}) (struct{}, error) { + return conn.local.SysTrashSweep(ctx, options) +} + var userAttrsCachedFromLoginCluster = map[string]bool{ "created_at": true, "email": true, @@ -725,6 +730,39 @@ func (conn *Conn) APIClientAuthorizationCurrent(ctx context.Context, options arv return conn.chooseBackend(options.UUID).APIClientAuthorizationCurrent(ctx, options) } +func (conn *Conn) APIClientAuthorizationCreate(ctx context.Context, options arvados.CreateOptions) (arvados.APIClientAuthorization, error) { + if conn.cluster.Login.LoginCluster != "" { + return conn.chooseBackend(conn.cluster.Login.LoginCluster).APIClientAuthorizationCreate(ctx, options) + } + ownerUUID, ok := options.Attrs["owner_uuid"].(string) + if ok && ownerUUID != "" { + return conn.chooseBackend(ownerUUID).APIClientAuthorizationCreate(ctx, options) + } + return conn.local.APIClientAuthorizationCreate(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.APIClientAuthorization, error) { + if options.BypassFederation { + return conn.local.APIClientAuthorizationUpdate(ctx, options) + } + return conn.chooseBackend(options.UUID).APIClientAuthorizationUpdate(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.APIClientAuthorization, error) { + return conn.chooseBackend(options.UUID).APIClientAuthorizationDelete(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationList(ctx context.Context, options arvados.ListOptions) (arvados.APIClientAuthorizationList, error) { + if id := conn.cluster.Login.LoginCluster; id != "" && id != conn.cluster.ClusterID && !options.BypassFederation { + return conn.chooseBackend(conn.cluster.Login.LoginCluster).APIClientAuthorizationList(ctx, options) + } + return conn.generated_APIClientAuthorizationList(ctx, options) +} + +func (conn *Conn) APIClientAuthorizationGet(ctx context.Context, options arvados.GetOptions) (arvados.APIClientAuthorization, error) { + return conn.chooseBackend(options.UUID).APIClientAuthorizationGet(ctx, options) +} + type backend interface { arvados.API BaseURL() url.URL