From: Tom Clegg Date: Fri, 1 Jul 2022 18:30:32 +0000 (-0400) Subject: 19166: Pass GatewayAuthSecret to crunch-run through lsf/slurm. X-Git-Tag: 2.5.0~106^2~10 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/87f3da84318306184165dae50f75ac6721d89285 19166: Pass GatewayAuthSecret to crunch-run through lsf/slurm. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- diff --git a/lib/lsf/dispatch.go b/lib/lsf/dispatch.go index 0d9324784d..e2348337e6 100644 --- a/lib/lsf/dispatch.go +++ b/lib/lsf/dispatch.go @@ -6,6 +6,8 @@ package lsf import ( "context" + "crypto/hmac" + "crypto/sha256" "errors" "fmt" "math" @@ -274,7 +276,12 @@ func (disp *dispatcher) submit(container arvados.Container, crunchRunCommand []s var crArgs []string crArgs = append(crArgs, crunchRunCommand...) crArgs = append(crArgs, container.UUID) - crScript := execScript(crArgs) + + h := hmac.New(sha256.New, []byte(disp.Cluster.SystemRootToken)) + fmt.Fprint(h, container.UUID) + authsecret := fmt.Sprintf("%x", h.Sum(nil)) + + crScript := execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret}) bsubArgs, err := disp.bsubArgs(container) if err != nil { @@ -353,8 +360,14 @@ func (disp *dispatcher) checkLsfQueueForOrphans() { } } -func execScript(args []string) []byte { - s := "#!/bin/sh\nexec" +func execScript(args []string, env map[string]string) []byte { + s := "#!/bin/sh\n" + for k, v := range env { + s += k + `='` + s += strings.Replace(v, `'`, `'\''`, -1) + s += `' ` + } + s += `exec` for _, w := range args { s += ` '` s += strings.Replace(w, `'`, `'\''`, -1) diff --git a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go index c31d799752..c774584d68 100644 --- a/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go +++ b/services/crunch-dispatch-slurm/crunch-dispatch-slurm.go @@ -7,6 +7,8 @@ package dispatchslurm import ( "context" + "crypto/hmac" + "crypto/sha256" "fmt" "log" "math" @@ -213,7 +215,12 @@ func (disp *Dispatcher) submit(container arvados.Container, crunchRunCommand []s crArgs := append([]string(nil), crunchRunCommand...) crArgs = append(crArgs, "--runtime-engine="+disp.cluster.Containers.RuntimeEngine) crArgs = append(crArgs, container.UUID) - crScript := strings.NewReader(execScript(crArgs)) + + h := hmac.New(sha256.New, []byte(disp.cluster.SystemRootToken)) + fmt.Fprint(h, container.UUID) + authsecret := fmt.Sprintf("%x", h.Sum(nil)) + + crScript := strings.NewReader(execScript(crArgs, map[string]string{"GatewayAuthSecret": authsecret})) sbArgs, err := disp.sbatchArgs(container) if err != nil { diff --git a/services/crunch-dispatch-slurm/script.go b/services/crunch-dispatch-slurm/script.go index fb16e593e5..d0bfbc4a92 100644 --- a/services/crunch-dispatch-slurm/script.go +++ b/services/crunch-dispatch-slurm/script.go @@ -8,8 +8,14 @@ import ( "strings" ) -func execScript(args []string) string { - s := "#!/bin/sh\nexec" +func execScript(args []string, env map[string]string) string { + s := "#!/bin/sh\n" + for k, v := range env { + s += k + `='` + s += strings.Replace(v, `'`, `'\''`, -1) + s += `' ` + } + s += `exec` for _, w := range args { s += ` '` s += strings.Replace(w, `'`, `'\''`, -1) diff --git a/services/crunch-dispatch-slurm/script_test.go b/services/crunch-dispatch-slurm/script_test.go index 00d70190dd..bba9a05755 100644 --- a/services/crunch-dispatch-slurm/script_test.go +++ b/services/crunch-dispatch-slurm/script_test.go @@ -23,6 +23,7 @@ func (s *ScriptSuite) TestExecScript(c *C) { {[]string{`foo"`, "'waz 'qux\n"}, `exec 'foo"' ''\''waz '\''qux` + "\n" + `'`}, } { c.Logf("%+v -> %+v", test.args, test.script) - c.Check(execScript(test.args), Equals, "#!/bin/sh\n"+test.script+"\n") + c.Check(execScript(test.args, nil), Equals, "#!/bin/sh\n"+test.script+"\n") } + c.Check(execScript([]string{"sh", "-c", "echo $foo"}, map[string]string{"foo": "b'ar"}), Equals, "#!/bin/sh\nfoo='b'\\''ar' exec 'sh' '-c' 'echo $foo'\n") }