Bug #15814
closedRunning a workflow from WB2 exposes secret inputs
Description
In the container.json log of e51c5-xvhdp-ctxc9vlsbq7ae3x you can see:
"api_key_per_sample": { "$include": "/secrets/s0" }
In the container.json log of e51c5-xvhdp-mkzv6lz6mnphv7b, you can see the api_key_per_sample in plaintext.
For reference, the way secrets are handled in arvados-cwl-runner:
- the submitter process takes the secret string and adds a "text" type mount at /secrets/s0 (s1, s2, etc) to the container request
- In the input object, the parameter is replaced with "$include": "/secrets/s0"
- The workflow runner process (inside the container) loads the input object and processes the $input directive, which reads /secrets/s0 and replaces it with the contents of the file
- The workflow runner internally swaps the secret for a placeholder to avoid printing it in logging (including debug logging)
- The command line tool uses InitialWorkDir to define the credential files
- It observes that the file contains the placeholder for the secret
- The file is moved to secret_mounts and the placeholder is replaced by the real secret
- secret_mounts are hidden from all API responses except when crunch-run requests the "self" container. Secrets are wiped from the database when the container is finished
Implementation¶
The part that workbench 2 needs to handle is:
- Recognizing which inputs are secrets (requires looking for cwltool:Secrets in the workflow's hints or requirements sections).
- Obscuring the secret with a "password" type text box
- When constructing the container request, moving secrets into the "secret_mounts" part, and replacing them in the input object with the $include reference.
Updated by Tom Morris about 5 years ago
- Target version changed from 2020-01-02 Sprint to 2020-01-15 Sprint
Updated by Peter Amstutz about 5 years ago
The broader problem is that specifying secrets requires some extra work when creating the container request, and this code is essentially duplicated between arvados-cwl-runner and workbench. As a result, a-c-r knows how to do it, and workbench(1|2) doesn't. This almost certainly isn't the only example of inconsistent behavior between them.
I recommend exploring the option of submitting the workflow using a high level API, specifically the GA4GH Workflow Execution Service (WES). The implementation of the high level API can invoke arvados-cwl-runner which already has the logic to construct the low level container request. Submitted for consideration: #15918 #15917
Updated by Peter Amstutz about 5 years ago
- Target version changed from 2020-01-15 Sprint to Arvados Future Sprints
Updated by Peter Amstutz almost 5 years ago
- Release set to 20
- Target version deleted (
Arvados Future Sprints)
Updated by Peter Amstutz almost 3 years ago
- Release changed from 20 to 46
- Target version set to 2022-02-16 sprint
Updated by Peter Amstutz almost 3 years ago
- Subject changed from Running a workflow from WB1 & WB2 exposes secret inputs to Running a workflow from WB2 exposes secret inputs
Updated by Peter Amstutz almost 3 years ago
- Target version changed from 2022-02-16 sprint to 2022-03-02 sprint
Updated by Peter Amstutz almost 3 years ago
- Target version changed from 2022-03-02 sprint to 2022-03-16 sprint
Updated by Peter Amstutz almost 3 years ago
- Assigned To changed from Peter Amstutz to Daniel Kutyła
Updated by Peter Amstutz almost 3 years ago
- Target version changed from 2022-03-16 sprint to 2022-04-13 Sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-04-13 Sprint to 2022-04-27 Sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-04-27 Sprint to 2022-05-11 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-05-11 sprint to 2022-05-25 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-05-25 sprint to 2022-06-08 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-06-08 sprint to 2022-06-22 Sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-06-22 Sprint to 2022-07-06
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-07-06 to 2022-07-20
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-07-20 to 2022-08-03 Sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-08-03 Sprint to 2022-08-17 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-08-17 sprint to 2022-08-31 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-08-31 sprint to 2022-09-28 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-09-28 sprint to 2022-10-12 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-10-12 sprint to 2022-10-26 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-10-26 sprint to 2022-11-09 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-11-09 sprint to 2022-11-23 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-11-23 sprint to 2022-12-21 Sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-12-21 Sprint to 2023-01-18 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2023-01-18 sprint to 2023-02-01 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2023-02-01 sprint to 2023-02-15 sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2023-02-15 sprint to Future
Updated by Brett Smith over 1 year ago
- Related to Bug #20977: a-c-r crashes with "Secret store only accepts strings" if you try to register a workflow with secrets added
Updated by Peter Amstutz about 1 year ago
- Target version changed from Future to Development 2024-01-17 sprint
Updated by Peter Amstutz about 1 year ago
- Target version changed from Development 2024-01-17 sprint to Development 2024-02-28 sprint
Updated by Peter Amstutz about 1 year ago
- Target version changed from Development 2024-02-28 sprint to Development 2024-01-31 sprint
Updated by Peter Amstutz about 1 year ago
- Target version changed from Development 2024-01-31 sprint to Development 2024-02-28 sprint
Updated by Peter Amstutz 11 months ago
- Target version changed from Development 2024-02-28 sprint to Development 2024-03-13 sprint
Updated by Peter Amstutz 10 months ago
- Target version changed from Development 2024-03-13 sprint to Development 2024-03-27 sprint
Updated by Peter Amstutz 10 months ago
- Target version changed from Development 2024-03-27 sprint to Development 2024-04-10 sprint
Updated by Peter Amstutz 10 months ago
- Target version changed from Development 2024-04-10 sprint to Development 2024-04-24 sprint
Updated by Peter Amstutz 9 months ago
- Target version changed from Development 2024-04-24 sprint to Development 2024-05-08 sprint
Updated by Peter Amstutz 9 months ago
- Target version changed from Development 2024-05-08 sprint to Development 2024-06-05 sprint
Updated by Peter Amstutz 8 months ago
- Related to Idea #19132: Registered workflow improvements added
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2024-06-05 sprint to Development 2024-05-22 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2024-05-22 sprint to 439
Updated by Peter Amstutz 7 months ago
- Target version changed from 439 to Development 2024-06-19 sprint
Updated by Peter Amstutz 7 months ago
- Target version changed from Development 2024-06-19 sprint to Development 2024-07-03 sprint
Updated by Peter Amstutz 6 months ago
- Target version changed from Development 2024-07-03 sprint to Development 2024-06-19 sprint
Updated by Peter Amstutz 6 months ago
15814-wb2-secrets @ 87f53f0c33e9033636122ac09322229caaee3398
Updated by Peter Amstutz 6 months ago
- Target version changed from Development 2024-06-19 sprint to Development 2024-07-03 sprint
Updated by Peter Amstutz 6 months ago
15814-wb2-secrets @ 2ed8ccba7164836f69d15ae6d2cb1cbd2cd03b7c
- All agreed upon points are implemented / addressed.
- can now use
arvados-cwl-runner --create-workflow
on workflows with secrets - secret inputs are treated as password input and use 'password' type input
- container request is constructed the same way that arvados-cwl-runner does it to avoid exposing passwords
- can now use
- Anything not implemented (discovered or discussed during work) has a follow-up story.
- n/a
- Code is tested and passing, both automated and manual, what manual testing was done is described
- added a new workbench integration test which goes through the process of creating a container request with a secret input.
- Documentation has been updated.
- n/a
- Behaves appropriately at the intended scale (describe intended scale).
- no changes in scale
- Considered backwards and forwards compatibility issues between client and server.
- the secrets handling feature has been around for many releases, this does not rely on any new API features
- Follows our coding standards and GUI style guidelines.
- yes
In the process of writing the test, I struggled a bit with Cypress. I made a few changes:
- If run-tests.sh is run in "interactive" mode, then it will launch the cypress tests in "interactive" mode as well.
- I added a "fail fast" plugin which will cause cypress to stop running tests in a particular spec file on the first failure. However, I set it up so it is disabled by default except when launched in interactive mode (previous bullet).
- I ended up making some changes to a couple of "process" tests that were giving me trouble. I observed that some of the flaky tests are flaky because of race conditions where a cached value is displayed while it is waiting to get a new value from the server, but the check fails on the old cached value when it was expecting the new value. These situations require the test to be a bit more aggressive on enforcing sequencing and/or triggering a browser reload to prevent stale values.
Updated by Peter Amstutz 6 months ago
15814-wb2-secrets @ bac52a7846a94bc3722c8256c7b8f567b7bd3096
Updated by Lucas Di Pentima 6 months ago
Review comments:
- There's some missing indentation in
createWorkflowSecretMounts()
definition. - I believe that instead of writing conditionals like "
if (something && something.other) {...}
" you can simplify it with "if (something?.other) {...}
" - There's also some funny indentations at
services/workbench2/src/store/run-process-panel/run-process-panel-actions.ts
lines 160-200.arvados/services/workbench2/src/models/workflow.ts
lines 164-171services/workbench2/cypress/e2e/process.cy.js
lines 113-128, 212-218, 1335-1337, 1470-1472services/workbench2/cypress.config.ts
lines 16-25arvados/services/workbench2/cypress/e2e/create-workflow.cy.js
lines 287-335
- When viewing the runner container, the corresponding input value for the secret shows as "Cannot display value" and while this is desirable, that input is not marked as a special one, so if its name doesn't hint the user that the value is a secret, using a better message could be helpful. Something like "Sensitive data hidden" or similar?
Updated by Peter Amstutz 6 months ago
Lucas Di Pentima wrote in #note-66:
- I believe that instead of writing conditionals like "
if (something && something.other) {...}
" you can simplify it with "if (something?.other) {...}
"
Done.
- When viewing the runner container, the corresponding input value for the secret shows as "Cannot display value" and while this is desirable, that input is not marked as a special one, so if its name doesn't hint the user that the value is a secret, using a better message could be helpful. Something like "Sensitive data hidden" or similar?
Detected explicitly and says "Cannot display secret" now.
Fixed all the wonky indentation, it was using tabs, I need to fix my untabify-on-save hook.
15814-wb2-secrets @ d8307bae7ebd60c20ecaf445f29bf4e229941e55
Updated by Peter Amstutz 6 months ago
15814-wb2-secrets @ cc315e49c103043399d0c78fdec4b9bfab85fa81
Updated by Peter Amstutz 6 months ago
- Status changed from In Progress to Resolved