Arvados

Reviewing tomclegg's 3261-keep-docker-config branch at 7305149:

• docker/api/omniauth.rb.in
  • I don't think that SSO_HOSTNAME.ARVADOS_DOMAIN is going to resolve to the local SSO container, which is what ENV['SSO_PORT_443_TCP_ADDR'] did.
• docker/build_tools/Makefile
  • This line:
    

        KEEP_GENERATED := $(shell ls -1 $(KEEP_GENERATED_IN) | perl -pe 's:^keep:keep/generated:')
    

  • ... I think also needs s/\.in$//.
• docker/keep/run-keep.in
  • -z is the wrong test: this looks like it should be
    

    if [ -s "$pkf" ]
    then
        permisson_key_arg="-permission-key-file=$pkf" 
    else
        permisson_key_arg="" 
    fi
    

Tim Pierce wrote:

• docker/api/omniauth.rb.in
  • I don't think that SSO_HOSTNAME.ARVADOS_DOMAIN is going to resolve to the local SSO container, which is what ENV['SSO_PORT_443_TCP_ADDR'] did.

• Leave empty in config.yml = use sso docker container
• Specify https://auth.curoverse.com in config.yml = use some sso service elsewhere

• docker/build_tools/Makefile
  • This line:
    [...]
  • ... I think also needs s/\.in$//.

Ah yes. (Now obsoleted by your replacement.)

• docker/keep/run-keep.in
  • -z is the wrong test: this looks like it should be
    [...]

Yes. Fixed, thanks.

With these and other misc fixes, I've confirmed that #3261 is not so easily reproduced. :/

After turning on --enforce-permissions, both keep and api server seem to work as expected:

keep

root@compute0:/# curl -H 'Authorization: OAuth2 4mqswa8myo058hxxfyx0r9zt9mm5m91brpviuvaoun4d857ewd' http://keep_server_0.keep.dev.arvados:25107/acbd18db4cc2f85cedef654fccc4a4d8+3+A8dd47f55a2815eb149887938d3416e5fdb6f9813@53ed4abf
foo

root@compute0:/# curl -H 'Authorization: OAuth2 4mqswa8myo058hxxfyx0r9zt9mm5m91brpviuvaoun4d857ewd' http://keep_server_0.keep.dev.arvados:25107/acbd18db4cc2f85cedef654fccc4a4d8+3+A8dd47f55a2815eb149887938d3416e5fdb6fffff@53ed4abf
Forbidden

api

root@compute0:/tmp# arv collection create --collection '{"uuid":"1f4b0bc7583c2a7f9102c395f4ffc5e3+45","manifest_text":". acbd18db4cc2f85cedef654fccc4a4d8+3+Afa79eed615b0cadac0a86dcd99c155c49d654c43@53ed418c 0:3:foo\n"}'
# => success

root@compute0:/tmp# arv collection create --collection '{"uuid":"1f4b0bc7583c2a7f9102c395f4ffc5e3+45","manifest_text":". acbd18db4cc2f85cedef654fccc4a4d8+3+A1dcc4d36024c3c4166088ba32686ffb428c33fc2@53ed4163 0:3:foo\n"}'
Error: #<ArvadosModel::PermissionDeniedError: ArvadosModel::PermissionDeniedError>

Turning on permissions on 4xphq also seems fine:

4xphq:~# echo -n bar > bar
4xphq:~# arv-put bar
arv-put: No --project-uuid or --name specified.  This data will be cached
in Keep.  You will need to find this upload by its locator(s) later.
0M / 0M 100.0% 
fa7aeb5140e2848d39b416daeef4ffc5+45

4xphq:~# arv-get fa7aeb5140e2848d39b416daeef4ffc5+45
. 37b51d194a7513e45b56f6524f2d51f2+3+Af291968a5e126295afeef53e71e4537a2e6d7fa3@53ed4fd8 0:3:bar

4xphq:~# arv collection create --collection '{"uuid":"fa7aeb5140e2848d39b416daeef4ffc5+45","manifest_text":". 37b51d194a7513e45b56f6524f2d51f2+3+Af291968a5e126295afeef53e71e4537a2e6d7fa3@53ed4fd8 0:3:bar\n"}'
{
 "href":"/collections/fa7aeb5140e2848d39b416daeef4ffc5+45",
 "kind":"arvados#collection",
 ...

4xphq:~# arv collection create --collection '{"uuid":"fa7aeb5140e2848d39b416daeef4ffc5+45","manifest_text":". 37b51d194a7513e45b56f6524f2d51f2+3+Af291968a5e126295afeef53e71e4537a2e6dffff@53ed4fd8 0:3:bar\n"}'
Error: #<ArvadosModel::PermissionDeniedError: ArvadosModel::PermissionDeniedError>

Meanwhile, more docker patches in 3261-keep-docker-config @ 5ce0e0f

• Bug: CollectionWriter.finish() (as used by well-behaved crunch scripts, but not crunch-job) threw away its permission hints before showing manifest_text to anyone, so of course arvados.v1.collections.create failed.
• Fix: Don't do that. 3bd1f8da
• Unfortunately this means docker images with affected versions of the Python SDK can't be used when the permission system is turned up.