Project

General

Profile

Actions

Feature #14200

open

[API] Reduce privilege exposure via API tokens in multi-cluster workflows

Added by Peter Amstutz about 6 years ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Story points:
-
Release:
Release relationship:
Auto

Description

A container running on cluster A might have inputs located on cluster B. Therefore, it must have a runtime token capable of authorizing API calls to cluster B. However, the container does not need all of the privileges on cluster B that it needs on cluster A: for example, it does not need to create a log collection on cluster B.

Proposal:
  • Additional "cluster_scope" column restricting which clusters should accept it? If cluster B tries do use with cluster C, cluster A will tell cluster C not to use it.
  • "cluster_ scope" could also instruct remote clusters to limit their scope (so token used on cluster C still only has access to read-only collections).
    • Proposed format: {cluster1: [scope1, scope2], cluster2: [scope3, scope4]}

Related issues

Related to Arvados - Feature #14262: [Controller] Specify runtime_token when creating container requests on a remote clusterResolvedPeter Amstutz10/24/2018Actions
Actions

Also available in: Atom PDF