Feature #13135

Updated by Peter Amstutz almost 6 years ago

string type * inputs to a workflow can be marked "secret: true" 

 * arvados-cwl-runner ensures that secrets are obscured using "secret_mounts" in container requests. 

 Secrets are entered into a "secrets" list inside workflow runner. 

 When submitting a job, any mount or environment variable that contains any string in the "secrets" list is placed in "secret_mounts" or "secret_environment". 

 In addition, any command line argument that contains a secret could go into a "secret_command".    (In container request, this is merged with the regular command line.    Something like a list 
 * semantics of null values or strings, null values are skipped, strings replace the corresponding position in the command line.) 

 Assumption: workflows don't modify the contents of secrets.    This seems reasonable. 

 a-c-r logger has a filter that checks if any strings in the "secrets" list appears in output and obscures it. 

 When submitting workflow runner, any secrets are placed in file literals in "secret_mounts", the secret parameters appear in input.json file as an $include which reads the secret file contents when the runner executes.