Support CWL `Secrets` requirement
fmigneault opened this issue · 0 comments
fmigneault commented
Description
This requirement can be used to obfuscate the tool inputs such as credentials from the logs.
Although cwltool
should be doing its job when the execution is handed off to it, the actual inputs submitted to the Weaver Job might still leak some information in logs. Also, those inputs should be omitted from places where they are normally readable.
- ensure inputs are not reported in logs when they are specified with
Secrets
requirement - ensure inputs are not listed in plain text on
/jobs/{JobID}/inputs
endpoints
(use obfuscated representation instead, see inspiration from https://github.com/common-workflow-language/cwltool/blob/main/cwltool/secrets.py#L8) - add the definition to the CWL JSON schema (in
swagger_definitions
). - add the typing name to allowed/known requirements