Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Changes to run arborist in Openshift #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
paulmurdoch19 wants to merge 91 commits into
base: master
Choose a base branch
from
Draft

Changes to run arborist in Openshift #183

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
f196ec8
add logging for debug
grugna Nov 14, 2022
9226e1e
additional logging
grugna Nov 14, 2022
6aba8f4
add import time
grugna Nov 14, 2022
47f377e
Update auth.go
grugna Nov 14, 2022
3088928
Update auth.go
grugna Nov 14, 2022
45f71c5
Update auth.go
grugna Nov 15, 2022
e6cef5a
Update server.go
grugna Nov 15, 2022
34a84e9
Update server.go
grugna Nov 16, 2022
6968111
Update server.go
grugna Nov 16, 2022
003f0ae
Update auth.go
grugna Feb 13, 2023
bcb33ac
removing prod projects permission
grugna Feb 20, 2023
8802589
Update auth.go
grugna Feb 20, 2023
cfe2ea4
Update auth.go
grugna Feb 21, 2023
3d48fd3
Merge pull request #1 from uc-cdis/integration202303
grugna Mar 1, 2023
8bbadd8
Merge pull request #2 from chicagopcdc/pcdc_dev
grugna Mar 1, 2023
e896781
update query as CTE query to solve production query optimizer error
grugna Mar 1, 2023
9210239
Update auth.go
grugna Mar 1, 2023
11a1f0d
Merge pull request #3 from chicagopcdc/test_performance
grugna Mar 21, 2023
5305e8f
Merge pull request #4 from chicagopcdc/temporary_time_patch
grugna Mar 21, 2023
5717975
Merge pull request #5 from chicagopcdc/pcdc_dev
grugna Apr 26, 2023
66fa637
clean up logs
grugna Apr 26, 2023
1f34d2c
Merge pull request #6 from uc-cdis/integration202305
grugna May 17, 2023
77624fa
Merge pull request #7 from chicagopcdc/pcdc_dev
grugna May 30, 2023
8b67158
Merge pull request #8 from uc-cdis/integration202306
grugna Jun 28, 2023
356df38
update esclude list of old project ids
grugna Jun 28, 2023
9a92180
Merge pull request #9 from chicagopcdc/pcdc_dev
grugna Jun 28, 2023
2095ce3
update filter list of resources for admin user
grugna Aug 29, 2023
82eebf5
Merge pull request #10 from chicagopcdc/pcdc_dev
grugna Aug 31, 2023
7f95be7
exclude 20231114 project data
grugna Nov 1, 2023
2889592
Merge pull request #11 from chicagopcdc/pcdc_dev
grugna Nov 1, 2023
ac7f5e3
filter out november 2023 data release from permission
grugna Jan 18, 2024
7b01767
Merge pull request #12 from chicagopcdc/pcdc_dev
grugna Jan 18, 2024
86f75cf
adding token validation
grugna Feb 5, 2024
16c1549
update logic - token presence has priority over body
grugna Feb 5, 2024
d6d1909
Update server.go
grugna Feb 5, 2024
a1b48ed
type
grugna Feb 5, 2024
45d1e7f
Merge pull request #13 from grugna/add_post_auth_mapping_token_valida…
grugna Feb 6, 2024
21491c6
change for DEV
grugna Feb 6, 2024
c71a568
test parametrizing project exclusion
grugna Feb 7, 2024
b337577
typo
grugna Feb 7, 2024
ae250cc
typo
grugna Feb 7, 2024
0069eb1
Update auth.go
grugna Feb 7, 2024
2444e84
Update server.go
grugna Feb 7, 2024
7fa0179
Update server.go
grugna Feb 7, 2024
4e307ae
Update server.go
grugna Feb 7, 2024
c72fbb1
remove logs
grugna Feb 7, 2024
f0128dc
remove 20231114
grugna Feb 28, 2024
bbd8138
requested changes
grugna Mar 1, 2024
c6b181c
reduce indent
paulineribeyre Mar 4, 2024
1b68fa1
handleAuthMappingPOST => accept token without body
paulineribeyre Mar 4, 2024
35f1939
add unit tests
paulineribeyre Mar 4, 2024
75eef67
Merge branch 'master' of github.com:uc-cdis/arborist into copy-add_po…
paulineribeyre Mar 4, 2024
a38ce94
Merge branch 'copy-add_post_auth_mapping_token_validation' of https:/…
grugna Mar 5, 2024
1609ca6
Merge branch 'uc-cdis-copy-add_post_auth_mapping_token_validation' in…
grugna Mar 5, 2024
833a9cb
Merge pull request #16 from chicagopcdc/test_from_ctds
grugna Mar 6, 2024
088d05e
Merge pull request #14 from chicagopcdc/add_post_endpoint
grugna Mar 6, 2024
290fcec
Merge pull request #17 from chicagopcdc/pcdc_dev
grugna Mar 6, 2024
0d9056c
add latest data release
grugna Mar 26, 2024
3fa07e0
Merge pull request #18 from chicagopcdc/pcdc_dev
grugna Mar 26, 2024
cb0e7dc
Merge branch 'integration202404' of https://github.com/uc-cdis/arbori…
grugna Mar 26, 2024
69d923a
Merge branch 'uc-cdis-integration202404' into pcdc_dev
grugna Mar 26, 2024
1607a89
Merge pull request #20 from chicagopcdc/pcdc_dev
grugna Apr 30, 2024
ce93732
Merge pull request #21 from uc-cdis/master
grugna Apr 30, 2024
05f10bb
Merge pull request #22 from chicagopcdc/pcdc_dev
grugna May 29, 2024
34e16fc
add exclusion for April 2024 data release
grugna Jun 25, 2024
15d47f5
Merge pull request #23 from chicagopcdc/pcdc_dev
grugna Jun 25, 2024
995c0fd
Merge branch 'integration202409' of https://github.com/uc-cdis/arbori…
grugna Aug 27, 2024
b1e6a11
t push origin pcdc_dev:wqqMerge branch 'uc-cdis-integration202409' in…
grugna Aug 27, 2024
582652d
Merge branch 'pcdc_dev' of https://github.com/chicagopcdc/arborist in…
grugna Aug 27, 2024
6382154
Merge pull request #25 from chicagopcdc/pcdc_dev
grugna Aug 27, 2024
9bc0012
update auth
grugna Sep 27, 2024
ef94b1a
Merge pull request #26 from chicagopcdc/pcdc_dev
grugna Sep 27, 2024
5afb0ac
Merge pull request #27 from uc-cdis/integration202412
grugna Nov 23, 2024
7ea579f
Merge pull request #28 from chicagopcdc/pcdc_dev
grugna Dec 23, 2024
edf2b2a
remove latest project_id
grugna Jan 3, 2025
1a93bed
Merge pull request #30 from chicagopcdc/pcdc_dev
grugna Jan 3, 2025
5d161b2
Merge pull request #29 from uc-cdis/integration202501
grugna Jan 28, 2025
ef0f1f1
Merge pull request #31 from chicagopcdc/pcdc_dev
grugna Jan 28, 2025
7f30921
update with data access for april 2025 release
grugna Mar 26, 2025
115bf92
Merge pull request #32 from chicagopcdc/pcdc_dev
grugna Mar 26, 2025
b0220be
update list of old project ids
grugna Jun 24, 2025
b1b420a
Merge pull request #33 from chicagopcdc/update_project_id
grugna Jun 24, 2025
14921bc
Merge pull request #34 from chicagopcdc/pcdc_dev
grugna Jun 24, 2025
70f1ff7
Merge pull request #35 from uc-cdis/integration202507
grugna Jul 11, 2025
9e7da5d
Merge pull request #36 from chicagopcdc/pcdc_dev
grugna Jul 22, 2025
132e3cf
Merge pull request #37 from uc-cdis/integration202509
grugna Sep 29, 2025
4f18d5e
update data for new release
grugna Sep 29, 2025
ebaedb5
Merge pull request #38 from chicagopcdc/pcdc_dev
grugna Sep 29, 2025
30d02c5
Merge pull request #39 from uc-cdis/integration202511
grugna Nov 24, 2025
e8964bc
Merge pull request #40 from chicagopcdc/pcdc_dev
grugna Nov 25, 2025
58a1088
update arborist
paulmurdoch19 Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ RUN dnf update \
COPY --from=build-deps /etc_passwd /etc/passwd
COPY --from=build-deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build-deps /go/src/github.com/uc-cdis/arborist/ /go/src/github.com/uc-cdis/arborist/
RUN setcap 'cap_net_bind_service=+ep' /go/src/github.com/uc-cdis/arborist/bin/arborist
#RUN setcap 'cap_net_bind_service=+ep' /go/src/github.com/uc-cdis/arborist/bin/arborist
Copy link
Author

@paulmurdoch19 paulmurdoch19 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allow a user with no permissions to run arborist. Can no longer bind this server to port 80 unless you are the root user.

WORKDIR /go/src/github.com/uc-cdis/arborist/
USER nobody
CMD ["/go/src/github.com/uc-cdis/arborist/bin/arborist"]
99 changes: 78 additions & 21 deletions arborist/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,30 @@ type AuthMappingQuery struct {

type AuthMapping map[string][]Action

// TODO This is just a patch to filter out excessive resources. When transitioning to pelican import we should have a project_id = xyz parameter instead
// Future pcdc-20250408
var authMappingProjectExclusion = `
ARRAY[
'programs.pcdc.projects.20250708.%',
'programs.pcdc.projects.20250408.%',
'programs.pcdc.projects.20250114.%',
'programs.pcdc.projects.20241008.%',
'programs.pcdc.projects.20240709.%',
'programs.pcdc.projects.20240409.%',
'programs.pcdc.projects.20240130.%',
'programs.pcdc.projects.20231114.%',
'programs.pcdc.projects.20230912.%',
'programs.pcdc.projects.20230523.%',
'programs.pcdc.projects.20230228.%',
'programs.pcdc.projects.20220808.%',
'programs.pcdc.projects.20220501_S01.%',
'programs.pcdc.projects.20220201.%',
'programs.pcdc.projects.20220110.%',
'programs.pcdc.projects.20211006.%',
'programs.pcdc.projects.20210915.%',
'programs.pcdc.projects.20210212.%'
]
`
// authMappingForUser gets the auth mapping for the user with this username.
// The user's auth mapping includes the permissions of the `anonymous` and
// `logged-in` groups.
Expand All @@ -673,35 +697,57 @@ type AuthMapping map[string][]Action
func authMappingForUser(db *sqlx.DB, username string) (AuthMapping, *ErrorResponse) {
mappingQuery := []AuthMappingQuery{}
stmt := `
SELECT DISTINCT resource.path, permission.service, permission.method
FROM
(
SELECT usr_policy.policy_id FROM usr
INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
WHERE LOWER(usr.name) = $1 AND (usr_policy.expires_at IS NULL OR NOW() < usr_policy.expires_at)
UNION
SELECT grp_policy.policy_id FROM usr
INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
WHERE LOWER(usr.name) = $1 AND (usr_grp.expires_at IS NULL OR NOW() < usr_grp.expires_at)
UNION
SELECT grp_policy.policy_id FROM grp
INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
WHERE grp.name IN ($2, $3)
) AS policies
INNER JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
INNER JOIN resource AS roots ON roots.id = policy_resource.resource_id
INNER JOIN policy_role ON policy_role.policy_id = policies.policy_id
INNER JOIN permission ON permission.role_id = policy_role.role_id
INNER JOIN resource ON resource.path <@ roots.path
WITH policies AS (
SELECT usr_policy.policy_id
FROM usr
INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
WHERE LOWER(usr.name) = $1
AND (usr_policy.expires_at IS NULL OR NOW() < usr_policy.expires_at)
UNION
SELECT grp_policy.policy_id
FROM usr
INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
WHERE LOWER(usr.name) = $1
AND (usr_grp.expires_at IS NULL OR NOW() < usr_grp.expires_at)
UNION
SELECT grp_policy.policy_id
FROM grp
INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
WHERE grp.name IN ($2, $3)
),
policy_resources AS materialized (
SELECT policies.policy_id, policy_resource.resource_id, roots.path
FROM policies
INNER JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
INNER JOIN resource AS roots ON roots.id = policy_resource.resource_id
)
SELECT DISTINCT
resource.path,
permission.service,
permission.method
FROM policies
INNER JOIN policy_resources ON policy_resources.policy_id = policies.policy_id
INNER JOIN policy_role ON policy_role.policy_id = policies.policy_id
INNER JOIN permission ON permission.role_id = policy_role.role_id
INNER JOIN resource ON resource.path <@ policy_resources.path
WHERE ltree2text(resource.path) NOT LIKE ALL (`

stmt += authMappingProjectExclusion
stmt += `
)
`
// where resource.path ~ (CAST('programs.pcdc.projects.20230228.*' AS lquery))
// where ltree2text(resource.path) not like 'programs.pcdc.projects.20220201.%' and ltree2text(resource.path) not like 'programs.pcdc.projects.20220808.%') as teat;

err := db.Select(
&mappingQuery,
stmt,
strings.ToLower(username), // $1
AnonymousGroup, // $2
LoggedInGroup, // $3
)

if err != nil {
errResponse := newErrorResponse("mapping query failed", 500, &err)
errResponse.log.Error("%s", err.Error())
Expand Down Expand Up @@ -732,6 +778,12 @@ func authMappingForGroups(db *sqlx.DB, groups ...string) (AuthMapping, *ErrorRes
INNER JOIN policy_role ON policy_role.policy_id = policies.policy_id
INNER JOIN permission ON permission.role_id = policy_role.role_id
INNER JOIN resource ON resource.path <@ roots.path
WHERE ltree2text(resource.path) NOT LIKE ALL (`

stmt += authMappingProjectExclusion
stmt += `
)

`
// sqlx.In allows safely binding variable numbers of arguments as bindvars.
// See https://jmoiron.github.io/sqlx/#inQueries,
Expand Down Expand Up @@ -778,6 +830,11 @@ func authMappingForClient(db *sqlx.DB, clientID string) (AuthMapping, *ErrorResp
INNER JOIN policy_role ON policy_role.policy_id = policies.policy_id
INNER JOIN permission ON permission.role_id = policy_role.role_id
INNER JOIN resource ON resource.path <@ roots.path
WHERE ltree2text(resource.path) NOT LIKE ALL (`

stmt += authMappingProjectExclusion
stmt += `
)
`
err := db.Select(
&mappingQuery,
Expand Down