Open
Conversation
TrevorBasinger
force-pushed
the
tb/registration-sessions-phase-5
branch
from
2ec0df2 to
007b5f0
Compare
TrevorBasinger
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR moves roar publish flows onto GLaaS registration sessions, so register and put stage remote writes first and finalize them into a single published lineage at the end.
It also enables scoped SSH-based publishes to respect repo bindings/private scope, and fixes remote job identity collisions by deriving publication-scoped job UIDs from the finalized lineage hash. That keeps republishing stable and ensures follow-up operations like remote label pushes target the correct published jobs.
flowchart TD subgraph CLI["roar CLI"] A["Start lineage registration"] B{"--public?"} C["Public intent<br/>ignore repo binding"] D{"Repo binding exists?"} E["Build scope_request<br/>owner / project / visibility=private"] X["Stop:<br/>link repo or rerun with --public"] F{"Access token available?"} G["Use Bearer auth"] H{"SSH key available?"} I["Use SSH signature auth"] J{"Public anonymous fallback allowed?"} K["Anonymous public flow<br/>no Authorization header"] Y["Stop:<br/>run roar login or configure SSH"] L{"SSH public publish<br/>without bearer token?"} M["Optional authenticated identity lookup<br/>for canonical session hash"] N["Authenticated flow uses<br/>registration sessions"] O["Anonymous flow uses<br/>direct /sessions registration"] Z{"Auth mode"} end subgraph API["GLaaS API"] B1["Bearer middleware"] B2["Fetch TReqs access context"] B3["Link or auto-create local user<br/>cache treqsAccessContext"] S1["SSH middleware"] S2["Verify signature<br/>load local user"] R1["POST /registration-sessions"] R2["Stage jobs, artifacts, and links"] R3["POST /registration-sessions/:id/finalize"] R4{"scope_request present on finalize?"} R5{"Finalize auth mode?"} R6["Bearer scoped finalize:<br/>validate owner/project from live access context"] R7{"Cached linked access context<br/>present on SSH user?"} R8["SSH scoped finalize:<br/>validate owner/project from cached access context"] R9["400 error:<br/>refresh with bearer auth first"] R10["Finalize lineage hash<br/>materialize session/jobs/artifacts<br/>close registration session"] A1["POST /sessions"] A2["Default legacy public scope"] A3["Register jobs/artifacts directly<br/>against finalized session hash"] end A --> B B -- Yes --> C --> F B -- No --> D D -- No --> X D -- Yes --> E --> F F -- Yes --> G --> N F -- No --> H H -- Yes --> I --> L H -- No --> J J -- Yes --> K --> O J -- No --> Y L -- Yes --> M --> N L -- No --> N N --> Z Z -- Bearer --> B1 --> B2 --> B3 --> R1 Z -- SSH --> S1 --> S2 --> R1 R1 --> R2 --> R3 --> R4 R4 -- No --> R10 R4 -- Yes --> R5 R5 -- Bearer --> R6 --> R10 R5 -- SSH --> R7 R7 -- Yes --> R8 --> R10 R7 -- No --> R9 O --> A1 --> A2 --> A3