projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e05c465)
18887: it is OK for controller to forward the local anymous token,
authorWard Vandewege <ward@curii.com>
Fri, 25 Mar 2022 13:11:53 +0000 (09:11 -0400)
committerWard Vandewege <ward@curii.com>
Fri, 25 Mar 2022 13:11:53 +0000 (09:11 -0400)
       because all anonymous tokens get mapped to the local anonymous
       token on every cluster.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>

lib/controller/federation/conn.go patch | blob | history

diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index d3819f6262df8f7df4134753d0359e1d04e12950..2eabf44647662f8aed07230110ee33f98f156b9d 100644 (file)
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -69,14 +69,15 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin
                        return nil, errors.New("no token provided")
                }
                for _, token := range incoming.Tokens {
-                       if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && remoteID == cluster.Login.LoginCluster {
-                               // If we did this, the login cluster
-                               // would call back to us and then
-                               // reject our response because the
-                               // user UUID prefix (i.e., the
-                               // LoginCluster prefix) won't match
-                               // the token UUID prefix (i.e., our
-                               // prefix).
+                       if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") &&
+                               !strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") &&
+                               remoteID == cluster.Login.LoginCluster {
+                               // If we did this, the login cluster would call back to us and then
+                               // reject our response because the user UUID prefix (i.e., the
+                               // LoginCluster prefix) won't match the token UUID prefix (i.e., our
+                               // prefix). The anonymous token is OK to forward, because it gets
+                               // mapped to the local anonymous token automatically on the login
+                               // cluster.
                                return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID)
                        }
                        salted, err := auth.SaltToken(token, remoteID)