Name CellPipe cells hierarchically for mTLS identity resolution#4801
Merged
Conversation
…gate Direct CellPipe cells use sibling FQCNs like site-1_<job>_active but authenticate with the owning site's certificate. CellIdentityResolver handled dotted child FQCNs but fell back to the alias itself for these underscore aliases, so the mTLS gate in conn_manager rejected the connection before the auth-token alias exception could apply, failing jobs with FINISHED:EXECUTION_EXCEPTION. Teach resolve() to recognize only the constrained alias form <owner>_<runtime_id>_(active|passive) with a non-empty runtime_id containing no '.' or '_' (mirroring _origin_matches_fqcn in authenticator.py), and resolve the owner through the normal identity maps. Right-anchored parsing keeps ambiguous forms like site-a_x_<uuid>_active bound to site-a_x. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
|
/build |
This comment has been minimized.
This comment has been minimized.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mode> CellPipe cells were named with underscore aliases (site-1_<job>_active) that don't fit FQCN semantics: the mTLS identity gate and auth-token binding needed special alias parsing to map them to the owning site. Name them <site>.<token>.<mode> scoped under the cell they connect to (site-1.<job>.active via CP or server root; relay-1.site-1.<job>.active via a relay), so identity resolution and origin binding follow the normal FQCN hierarchy. To support the new names: - CellPipe picks root-style vs parent-style connection by the connect target (server root vs CP/relay) instead of by name shape, keeping TLS settings for direct-to-server pipes. - A client cell configured with only a root URL creates the backbone external connector regardless of generation. - Same-family endpoint resolution falls through to generic path resolution when the literal FQCN parent is not connected, since pipe cells connect to an ancestor (CP/relay) or the root instead. The underscore-alias parsing in the identity resolver and authenticator is kept for backward compatibility with peers running older versions. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
|
/build |
1 similar comment
Collaborator
Author
|
/build |
Collaborator
Author
|
/build |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4801 +/- ##
==========================================
+ Coverage 55.78% 55.85% +0.06%
==========================================
Files 967 967
Lines 91795 91810 +15
==========================================
+ Hits 51212 51277 +65
+ Misses 40583 40533 -50
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
pcnudde
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes # .
Description
Direct CellPipe cells authenticated with the owning site's certificate but were named with underscore aliases such as
site-1_<job-id>_active/site-1_<job-id>_passive, which don't fit FQCN semantics. The mTLS gate inconn_manager.update_endpointrejected these connections (authenticated as 'site-1' ... requires identity 'site-1_<job>_active'), failing jobs withFINISHED:EXECUTION_EXCEPTION.This PR fixes the problem at the naming level: CellPipe cells are now named hierarchically as
<site>.<token>.<mode>(e.g.site-1.<job-id>.active), scoped under the cell they connect to (relay-1.site-1.<job-id>.activewhen joining via a relay). With the owning site as a leading FQCN segment, mTLS identity resolution and auth-token origin binding follow the normal FQCN hierarchy — no alias parsing needed.Changes to support the new names:
cell_pipe.py:_cell_fqcnproduces the hierarchical name;_build_cellpicks root-style vs parent-style connection by the connect target (server root vs CP/relay) instead of by name shape, preserving the TLS settings for direct-to-server pipes.core_cell.py: a client cell configured with only a root URL creates the backbone external connector regardless of generation; same-family endpoint resolution falls through to generic path resolution when the literal FQCN parent is not connected (pipe cells connect to an ancestor or the root instead).identity.py/authenticator.py: the underscore-alias parsing is kept for backward compatibility with peers running older NVFlare versions, with comments marking it as legacy.Notes for reviewers:
Types of changes
./runtest.sh.🤖 Generated with Claude Code