projects / arvados.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 1a456ca) | patch
14262: Use container token for access to load Docker image
authorPeter Amstutz <pamstutz@veritasgenetics.com>
Tue, 16 Oct 2018 19:43:12 +0000 (15:43 -0400)
committerPeter Amstutz <pamstutz@veritasgenetics.com>
Tue, 30 Oct 2018 18:12:02 +0000 (14:12 -0400)
commit9469bd48034a3ffd4470dcd987c35cf5a97f819e
treee9cc6b7c6c586a7f73f8798625ed7378cff5a5d7tree | snapshot
parent1a456cacf09f4ca0223f343bfd565848cb92def2commit | diff
14262: Use container token for access to load Docker image

Previously used Dispatcher token, which created a security race
condition (you couldn't set a container image that you didn't have
access to, but if your access was revoked it the meantime, the
container would still run.)

Also tweaked API server to allow a PDH for the container image spec
with no further checking (so the API server doesn't have to go out and
search the federation.)  This is no longer a security hazard since it
is now using a user token and not the dispatcher token.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>
services/api/app/models/container.rb diff | blob | history
services/crunch-run/crunchrun.go diff | blob | history