14262: Only create runtime_token on home cluster for the authorization

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>

diff --git a/lib/controller/fed_containers.go b/lib/controller/fed_containers.go
index a3c292583f2df626f2323449f93ff3752d746a3d..fc627d3fafeb7000e5e3d78eb0efed257b92abe3 100644 (file)
--- a/lib/controller/fed_containers.go
+++ b/lib/controller/fed_containers.go
@@ -81,12 +81,15 @@ func remoteContainerRequestCreate(
                        return true
                }
 
-               newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
-               if err != nil {
-                       httpserver.Error(w, err.Error(), http.StatusForbidden)
-                       return true
+               // Must be home cluster for this authorization
+               if currentUser.Authorization.UUID[0:5] == h.handler.Cluster.ClusterID {
+                       newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
+                       if err != nil {
+                               httpserver.Error(w, err.Error(), http.StatusForbidden)
+                               return true
+                       }
+                       containerRequest["runtime_token"] = newtok.TokenV2()
                }
-               containerRequest["runtime_token"] = newtok.TokenV2()
        }
 
        newbody, err := json.Marshal(request)