Support secrets in tool requirements #19084
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
lib/galaxy/tool_util/xsd/galaxy.xsd
Outdated
|
|
||
| ```xml | ||
| <requirements> | ||
| <secret type="vault" user_preferences_key="some_tool|api_key" inject_as_env="some_tool_api_key" label="API Key" required="true"/> |
There was a problem hiding this comment.
Do any of the use cases involve multiple tools with different IDs requesting the same secret? If not - I would make the tool id (without a version) an implicit prefix here and just attach some similar field as the suffix. This isolation feels more secure-ish to me - we wouldn't risk tools picking up other keys accidentally.
There was a problem hiding this comment.
Well, in some use cases, maybe in the future, it will be good to access an api_key or a token for multiple tools.
There was a problem hiding this comment.
Hi John, Arash, with @Marie59 and @jeremyfix we have such use case (if I well understand) where separate tools need the same credential (here this is Copernicus marine system credentials), so I confirm that this is already a reality ;) It appears to me, at least for ecology and related environmental sciences, that it will be the case for many data providers as Copernicus for satellites remote sensing data and others.
arash77
force-pushed
the
add-secrets-to-tools
branch
from
f14c777 to
bdf8667
Compare
| seperated_key = user_preferences_key.split("/") | ||
| if len(seperated_key) != 2 or not seperated_key[0] or not seperated_key[1]: |
There was a problem hiding this comment.
| seperated_key = user_preferences_key.split("/") | |
| if len(seperated_key) != 2 or not seperated_key[0] or not seperated_key[1]: | |
| separated_key = user_preferences_key.split("/") | |
| if len(separated_key) != 2 or not separated_key[0] or not separated_key[1]: |
There was a problem hiding this comment.
Thank you for the suggestion, but they will all change.
the new discussed plan is in #19196
I am not sure if this should go into environment_variables or not.
arash77
force-pushed
the
add-secrets-to-tools
branch
5 times, most recently
from
dedb684 to
ff3ee10
Compare
and related methods and use the discussed XML format galaxyproject#19196
…s class and add credentials parsing test
… user credentials
variable, and secret tables to migration
…al_secret for clarity
arash77
force-pushed
the
add-secrets-to-tools
branch
from
ab6f860 to
7c8b58f
Compare
remove unused tests, add credential yaml test, refactor tool evaluator (needs more work)
The user ID comparison was comparing against the user object and not the ID. I think admins should not have access to this API by default so dropping the admin check.
- Make it scoped by user - Use new API instead of stub
Related to #19196
Closes #17511
Work in progress...
I will add a full description when it is done.
Adding secrets to tool requirements like this:
This will make use of the vault key that has been added in user_preferences_extra:
And inject it as an environmental variable that could be accessed within tools.
How to test the changes?
(Select all options that apply)
License