19166: Pass GatewayAuthSecret to crunch-run through lsf/slurm.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/lib/lsf/dispatch.go b/lib/lsf/dispatch.go
index 0d9324784d503e1fb30789e45e2f65ae7b84fdd1..e2348337e62992eb4463947690e809e1927bb232 100644 (file)
--- a/lib/lsf/dispatch.go
+++ b/lib/lsf/dispatch.go
@@ -6,6 +6,8 @@ package lsf
 
 import (
        "context"
+       "crypto/hmac"
+       "crypto/sha256"
        "errors"
        "fmt"
        "math"
@@ -274,7 +276,12 @@ func (disp *dispatcher) submit(container arvados.Container, crunchRunCommand []s
        var crArgs []string
        crArgs = append(crArgs, crunchRunCommand...)
        crArgs = append(crArgs, container.UUID)
-       crScript := execScript(crArgs)
+
+       h := hmac.New(sha256.New, []byte(disp.Cluster.SystemRootToken))
+       fmt.Fprint(h, container.UUID)
+       authsecret := fmt.Sprintf("%x", h.Sum(nil))
+
+       crScript := execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret})
 
        bsubArgs, err := disp.bsubArgs(container)
        if err != nil {
@@ -353,8 +360,14 @@ func (disp *dispatcher) checkLsfQueueForOrphans() {
        }
 }
 
-func execScript(args []string) []byte {
-       s := "#!/bin/sh\nexec"
+func execScript(args []string, env map[string]string) []byte {
+       s := "#!/bin/sh\n"
+       for k, v := range env {
+               s += k + `='`
+               s += strings.Replace(v, `'`, `'\''`, -1)
+               s += `' `
+       }
+       s += `exec`
        for _, w := range args {
                s += ` '`
                s += strings.Replace(w, `'`, `'\''`, -1)

diff --git a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
index c31d7997522fa1caa73507a009d680b3835a2f46..c774584d683c338e70629320d9d602b9fea30814 100644 (file)
--- a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
+++ b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go
@@ -7,6 +7,8 @@ package dispatchslurm
 
 import (
        "context"
+       "crypto/hmac"
+       "crypto/sha256"
        "fmt"
        "log"
        "math"
@@ -213,7 +215,12 @@ func (disp *Dispatcher) submit(container arvados.Container, crunchRunCommand []s
        crArgs := append([]string(nil), crunchRunCommand...)
        crArgs = append(crArgs, "--runtime-engine="+disp.cluster.Containers.RuntimeEngine)
        crArgs = append(crArgs, container.UUID)
-       crScript := strings.NewReader(execScript(crArgs))
+
+       h := hmac.New(sha256.New, []byte(disp.cluster.SystemRootToken))
+       fmt.Fprint(h, container.UUID)
+       authsecret := fmt.Sprintf("%x", h.Sum(nil))
+
+       crScript := strings.NewReader(execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret}))
 
        sbArgs, err := disp.sbatchArgs(container)
        if err != nil {

diff --git a/services/crunch-dispatch-slurm/script.go b/services/crunch-dispatch-slurm/script.go
index fb16e593e5c5648720452fd49194910a4b2021b5..d0bfbc4a929dd8067a8e3e3e519b17dc0777f475 100644 (file)
--- a/services/crunch-dispatch-slurm/script.go
+++ b/services/crunch-dispatch-slurm/script.go
@@ -8,8 +8,14 @@ import (
        "strings"
 )
 
-func execScript(args []string) string {
-       s := "#!/bin/sh\nexec"
+func execScript(args []string, env map[string]string) string {
+       s := "#!/bin/sh\n"
+       for k, v := range env {
+               s += k + `='`
+               s += strings.Replace(v, `'`, `'\''`, -1)
+               s += `' `
+       }
+       s += `exec`
        for _, w := range args {
                s += ` '`
                s += strings.Replace(w, `'`, `'\''`, -1)

diff --git a/services/crunch-dispatch-slurm/script_test.go b/services/crunch-dispatch-slurm/script_test.go
index 00d70190dd043416302c38fc526dc551dc08f687..bba9a05755cb36ec9848d11b17bc0187657e87d3 100644 (file)
--- a/services/crunch-dispatch-slurm/script_test.go
+++ b/services/crunch-dispatch-slurm/script_test.go
@@ -23,6 +23,7 @@ func (s *ScriptSuite) TestExecScript(c *C) {
                {[]string{`foo"`, "'waz 'qux\n"}, `exec 'foo"' ''\''waz '\''qux` + "\n" + `'`},
        } {
                c.Logf("%+v -> %+v", test.args, test.script)
-               c.Check(execScript(test.args), Equals, "#!/bin/sh\n"+test.script+"\n")
+               c.Check(execScript(test.args, nil), Equals, "#!/bin/sh\n"+test.script+"\n")
        }
+       c.Check(execScript([]string{"sh", "-c", "echo $foo"}, map[string]string{"foo": "b'ar"}), Equals, "#!/bin/sh\nfoo='b'\\''ar' exec 'sh' '-c' 'echo $foo'\n")
 }