projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cdd3120)
14826: API server looks in CA cert path that works on CentOS
authorPeter Amstutz <pamstutz@veritasgenetics.com>
Mon, 11 Feb 2019 15:57:45 +0000 (10:57 -0500)
committerPeter Amstutz <pamstutz@veritasgenetics.com>
Mon, 11 Feb 2019 15:57:45 +0000 (10:57 -0500)
API server makes callbacks to remote clusters to validate remote
users, ensure it has the right system CA cert path to validate TLS
certs of remote clusters.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>

services/api/app/models/api_client_authorization.rb patch | blob | history

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 39253e1036ba9a52b2070f9e0a7d4043fecb2d43..800439248673cf6b2960bc0a22848c6f97c02f55 100644 (file)
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -155,6 +155,12 @@ class ApiClientAuthorization < ArvadosModel
         clnt = HTTPClient.new
         if Rails.configuration.sso_insecure
           clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        else
+          # Use system CA certificates
+          ["/etc/ssl/certs/ca-certificates.crt",
+           "/etc/pki/tls/certs/ca-bundle.crt"]
+            .select { |ca_path| File.readable?(ca_path) }
+            .each { |ca_path| @api_client.ssl_config.add_trust_ca(ca_path) }
         end
         remote_user = SafeJSON.load(
           clnt.get_content('https://' + host + '/arvados/v1/users/current',