-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support secrets in tool requirements #19084
base: dev
Are you sure you want to change the base?
Conversation
lib/galaxy/tool_util/xsd/galaxy.xsd
Outdated
|
||
```xml | ||
<requirements> | ||
<secret type="vault" user_preferences_key="some_tool|api_key" inject_as_env="some_tool_api_key" label="API Key" required="true"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do any of the use cases involve multiple tools with different IDs requesting the same secret? If not - I would make the tool id (without a version) an implicit prefix here and just attach some similar field as the suffix. This isolation feels more secure-ish to me - we wouldn't risk tools picking up other keys accidentally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, in some use cases, maybe in the future, it will be good to access an api_key or a token for multiple tools.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi John, Arash, with @Marie59 and @jeremyfix we have such use case (if I well understand) where separate tools need the same credential (here this is Copernicus marine system credentials), so I confirm that this is already a reality ;) It appears to me, at least for ecology and related environmental sciences, that it will be the case for many data providers as Copernicus for satellites remote sensing data and others.
f14c777
to
bdf8667
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice to see this feature coming in. One thing I was wondering about though, should this be a requirement or be injected through the <environment_variables> section following the precedent here?
#15300
seperated_key = user_preferences_key.split("/") | ||
if len(seperated_key) != 2 or not seperated_key[0] or not seperated_key[1]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seperated_key = user_preferences_key.split("/") | |
if len(seperated_key) != 2 or not seperated_key[0] or not seperated_key[1]: | |
separated_key = user_preferences_key.split("/") | |
if len(separated_key) != 2 or not separated_key[0] or not separated_key[1]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the suggestion, but they will all change.
the new discussed plan is in #19196
I am not sure if this should go into environment_variables or not.
dedb684
to
ff3ee10
Compare
ab6f860
to
7c8b58f
Compare
variable, and secret tables to migration
…al_secret for clarity
remove unused tests, add credential yaml test, refactor tool evaluator (needs more work)
The user ID comparison was comparing against the user object and not the ID. I think admins should not have access to this API by default so dropping the admin check.
- Make it scoped by user - Use new API instead of stub
971fa21
to
64d382c
Compare
… integration tests
…dd sorting for better consistency
…riables for tool credentials
Related to #19196
Closes #17511
Work in progress...
I will add a full description when it is done.
Adding secrets to tool requirements like this:
This will make use of the vault key that has been added in user_preferences_extra:
And inject it as an environmental variable that could be accessed within tools.
How to test the changes?
(Select all options that apply)
License