From: Ward Vandewege Date: Fri, 25 Mar 2022 13:11:53 +0000 (-0400) Subject: 18887: it is OK for controller to forward the local anymous token, X-Git-Tag: 2.5.0~228^2~6 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/442ddf0be3bdc9c28d839aaa4476a67f8feea19b 18887: it is OK for controller to forward the local anymous token, because all anonymous tokens get mapped to the local anonymous token on every cluster. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go index d3819f6262..2eabf44647 100644 --- a/lib/controller/federation/conn.go +++ b/lib/controller/federation/conn.go @@ -69,14 +69,15 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin return nil, errors.New("no token provided") } for _, token := range incoming.Tokens { - if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && remoteID == cluster.Login.LoginCluster { - // If we did this, the login cluster - // would call back to us and then - // reject our response because the - // user UUID prefix (i.e., the - // LoginCluster prefix) won't match - // the token UUID prefix (i.e., our - // prefix). + if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && + !strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") && + remoteID == cluster.Login.LoginCluster { + // If we did this, the login cluster would call back to us and then + // reject our response because the user UUID prefix (i.e., the + // LoginCluster prefix) won't match the token UUID prefix (i.e., our + // prefix). The anonymous token is OK to forward, because it gets + // mapped to the local anonymous token automatically on the login + // cluster. return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID) } salted, err := auth.SaltToken(token, remoteID)