From 442ddf0be3bdc9c28d839aaa4476a67f8feea19b Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Fri, 25 Mar 2022 09:11:53 -0400 Subject: [PATCH] 18887: it is OK for controller to forward the local anymous token, because all anonymous tokens get mapped to the local anonymous token on every cluster. Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- lib/controller/federation/conn.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go index d3819f6262..2eabf44647 100644 --- a/lib/controller/federation/conn.go +++ b/lib/controller/federation/conn.go @@ -69,14 +69,15 @@ func saltedTokenProvider(cluster *arvados.Cluster, local backend, remoteID strin return nil, errors.New("no token provided") } for _, token := range incoming.Tokens { - if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && remoteID == cluster.Login.LoginCluster { - // If we did this, the login cluster - // would call back to us and then - // reject our response because the - // user UUID prefix (i.e., the - // LoginCluster prefix) won't match - // the token UUID prefix (i.e., our - // prefix). + if strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-") && + !strings.HasPrefix(token, "v2/"+cluster.ClusterID+"-gj3su-anonymouspublic/") && + remoteID == cluster.Login.LoginCluster { + // If we did this, the login cluster would call back to us and then + // reject our response because the user UUID prefix (i.e., the + // LoginCluster prefix) won't match the token UUID prefix (i.e., our + // prefix). The anonymous token is OK to forward, because it gets + // mapped to the local anonymous token automatically on the login + // cluster. return nil, httpErrorf(http.StatusUnauthorized, "cannot use a locally issued token to forward a request to our login cluster (%s)", remoteID) } salted, err := auth.SaltToken(token, remoteID) -- 2.30.2