Project

General

Profile

Actions

Feature #13135

closed

[CWL] Support for secrets

Added by Peter Amstutz about 6 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

string type inputs to a workflow can be marked "secret: true"

arvados-cwl-runner ensures that secrets are obscured using "secret_mounts" in container requests.

Secrets are entered into a "secrets" list inside workflow runner.

When submitting a job, any mount or environment variable that contains any string in the "secrets" list is placed in "secret_mounts" or "secret_environment".

In addition, any command line argument that contains a secret could go into a "secret_command". (In container request, this is merged with the regular command line. Something like a list of null values or strings, null values are skipped, strings replace the corresponding position in the command line.)

Assumption: workflows don't modify the contents of secrets. This seems reasonable.

a-c-r logger has a filter that checks if any strings in the "secrets" list appears in output and obscures it.

When submitting workflow runner, any secrets are placed in file literals in "secret_mounts", the secret parameters appear in input.json file as an $include which reads the secret file contents when the runner executes.


Subtasks 1 (0 open1 closed)

Task #13214: Review 13135-cwl-secretsResolvedPeter Amstutz03/13/2018Actions
Actions

Also available in: Atom PDF