# period.
LogUpdateSize: 32MiB
+ ShellAccess:
+ # An admin user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container.
+ Admin: false
+
+ # Any user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container that they started, provided it isn't also
+ # associated with a different user's container request.
+ #
+ # Interactive sessions make it easy to alter the container's
+ # runtime environment in ways that aren't recorded or
+ # reproducible. Consider the implications for automatic
+ # container reuse before enabling and using this feature. In
+ # particular, note that starting an interactive session does
+ # not disqualify a container from being reused by a different
+ # user/workflow in the future.
+ User: false
+
SLURM:
PrioritySpread: 0
SbatchArgumentsList: []
"Containers.MaxRetryAttempts": true,
"Containers.MinRetryPeriod": true,
"Containers.ReserveExtraRAM": true,
+ "Containers.ShellAccess": true,
+ "Containers.ShellAccess.Admin": true,
+ "Containers.ShellAccess.User": true,
"Containers.SLURM": false,
"Containers.StaleLockTimeout": false,
"Containers.SupportedDockerImageFormats": true,
# period.
LogUpdateSize: 32MiB
+ ShellAccess:
+ # An admin user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container.
+ Admin: false
+
+ # Any user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container that they started, provided it isn't also
+ # associated with a different user's container request.
+ #
+ # Interactive sessions make it easy to alter the container's
+ # runtime environment in ways that aren't recorded or
+ # reproducible. Consider the implications for automatic
+ # container reuse before enabling and using this feature. In
+ # particular, note that starting an interactive session does
+ # not disqualify a container from being reused by a different
+ # user/workflow in the future.
+ User: false
+
SLURM:
PrioritySpread: 0
SbatchArgumentsList: []
if err != nil {
return
}
- if !user.IsAdmin {
+ if !user.IsAdmin || !conn.cluster.Containers.ShellAccess.Admin {
+ if !conn.cluster.Containers.ShellAccess.User {
+ err = httpserver.ErrorWithStatus(errors.New("shell access is disabled in config"), http.StatusServiceUnavailable)
+ return
+ }
ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
var crs arvados.ContainerRequestList
crs, err = conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
c.Assert(err, check.IsNil)
}
+func (s *ContainerGatewaySuite) SetUpTest(c *check.C) {
+ s.cluster.Containers.ShellAccess.Admin = true
+ s.cluster.Containers.ShellAccess.User = true
+}
+
+func (s *ContainerGatewaySuite) TestConfig(c *check.C) {
+ for _, trial := range []struct {
+ configAdmin bool
+ configUser bool
+ sendToken string
+ errorCode int
+ }{
+ {true, true, arvadostest.ActiveTokenV2, 0},
+ {true, false, arvadostest.ActiveTokenV2, 503},
+ {false, true, arvadostest.ActiveTokenV2, 0},
+ {false, false, arvadostest.ActiveTokenV2, 503},
+ {true, true, arvadostest.AdminToken, 0},
+ {true, false, arvadostest.AdminToken, 0},
+ {false, true, arvadostest.AdminToken, 403},
+ {false, false, arvadostest.AdminToken, 503},
+ } {
+ c.Logf("trial %#v", trial)
+ s.cluster.Containers.ShellAccess.Admin = trial.configAdmin
+ s.cluster.Containers.ShellAccess.User = trial.configUser
+ ctx := auth.NewContext(s.ctx, &auth.Credentials{Tokens: []string{trial.sendToken}})
+ sshconn, err := s.localdb.ContainerSSH(ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
+ if trial.errorCode == 0 {
+ if !c.Check(err, check.IsNil) {
+ continue
+ }
+ if !c.Check(sshconn.Conn, check.NotNil) {
+ continue
+ }
+ sshconn.Conn.Close()
+ } else {
+ c.Check(err, check.NotNil)
+ err, ok := err.(interface{ HTTPStatus() int })
+ if c.Check(ok, check.Equals, true) {
+ c.Check(err.HTTPStatus(), check.Equals, trial.errorCode)
+ }
+ }
+ }
+}
+
func (s *ContainerGatewaySuite) TestConnect(c *check.C) {
c.Logf("connecting to %s", s.gw.Address)
sshconn, err := s.localdb.ContainerSSH(s.ctx, arvados.ContainerSSHOptions{UUID: s.ctrUUID})
LogUpdatePeriod Duration
LogUpdateSize ByteSize
}
+ ShellAccess struct {
+ Admin bool
+ User bool
+ }
SLURM struct {
PrioritySpread int64
SbatchArgumentsList []string
"GitInternalDir": os.path.join(SERVICES_SRC_DIR, 'api', 'tmp', 'internal.git'),
},
"SupportedDockerImageFormats": {"v1": {}},
+ "ShellAccess": {
+ "Admin": True,
+ "User": True,
+ },
},
"Volumes": {
"zzzzz-nyw5e-%015d"%n: {