Actions
Task #2859
closedIdea #2755: Implement Keep permission signatures in API server and Python SDK
Review 2755-python-sdk-permissions
Description
Review @ 5214573
2755: add support for signed locators in the Python SDK.
arvados.Keep.put()
saves the response body (which may contain a signed locator) and returns it to the caller.arvados.Keep.get()
passes the full signed locator to the remote Keep server. The bare MD5 hash is still used for caching and for shuffled_service_rootsrun_test_server.run_keep()
takes arguments 'blob_signing_key' and 'enforce_permissions', for testing permission signatures in unit tests.
- test_keep_client: new unit tests for permissions:
- with
--enforce-permissions=true
:- GET with a signed locator works
- GET with an unsigned locator fails
- unauthenticated GET fails
- with
--enforce-permissions=false
:- GET with a signed locator works
- GET with an unsigned locator works
- unauthenticated GET works
- with
Bug fixes to permission handling in the Keep server:
- Locator hints may appear in any order; be flexible. Parse them in
GetBlockHandler
rather than in the REST router. - Returned locators are terminated with newline (consistent with Warehouse, and more friendly for human debugging).
- The locator returned from a PUT request always has a size hint.
- The correct Authorization header keyword is "OAuth2", not "OAuth". D'oh.
- Updated unit tests to accommodate newlines, size hints and OAuth2.
Refs #2755.
Actions