Federate container token cannot access resources on other clusters
This fails, despite the fact that when accessing the collection by other means (both "arv collection get" and arv-mount) the user is able to go through tordo and fetch the collection from ce8i5 (i.e. federation works as intended).
I think what is happening here is that the container gets issued a new temporary token, that token belongs to the federate cluster not the LoginCluster, and so it can only be used to access resources on the federate but not other clusters in the federation.
So that's a bug / missing feature that in this situation.
When the user's token belongs to a LoginCluster, controller needs to request a new token from the LoginCluster instead creating a local one. This should be set as the "runtime token" on the container request, along with a new(?) flag to indicate if the runtime token should be expired when the container request is finished.
Updated by Tom Clegg about 2 months ago
- Status changed from New to In Progress
Based on an unmerged branch from #15370, adding a test case that reproduces this failure, but passes/skips if the arv-mount log shows the expected token error: