Closed Bug 1256387 Opened 8 years ago Closed 6 years ago

introduce auth:manage-scope:<scope>

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jonasfj, Unassigned)

Details

Scope:   "auth:manage-scope:<scope>"
Concept: Grants authority to manage a scope namespace
Actions:
  - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any role
  - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any client
Use-case:
    We can give people pieces of scoped authority that we entrust them manage
    and delegate to other people.
    Examples:
    - releng gets: "auth:manage-scope:releng-api:*"
    - ateam gets:  "auth:manage-scope:treeherder:*"
    - releng gets: "auth:manage-scope:signing:*"
    - releng gets:   "auth:manage-scope:funsize:*"
    - releng gets:  "auth:manage-scope:queue:route:index.gecko.v2.*"
 With this pattern people or groups of people gets:
  * the priviledge of being able to delegate scopes, and
  * the responsibility of having to revoke them from people too.

The real argument is TC admins shouldn't use their * scope to grant people
access to a service like balrog.

For details see:
https://public.etherpad-mozilla.org/p/jonasfj-auth-delegation-project-roles-rambling
I think this has been superseded by some further thinking on role granting.  At any rate, that deserves an RFC.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Component: Authentication → Services
You need to log in before you can comment on or make changes to this bug.