Closed
Bug 1258445
Opened 8 years ago
Closed 3 years ago
Permanent clients should store clientId (and issuer if temp credentials) of client that created them
Categories
(Taskcluster :: Services, defect, P5)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: pmoore, Unassigned)
Details
For example, if * clientId <B> is created from clientId <A> * clientId <C> is created from clientId <B> then when viewing clientId <C>, it would be useful to see it was created from clientId <B>, which in turn was created from clientId <A>. A real example is that clientId "project/taskcluster/tc-client-go/tests" was created from clientId "mozilla-ldap/pmoore@mozilla.com" (I believe). This chain should be shown, in this example, on this page: * https://tools.taskcluster.net/auth/clients/#project%252ftaskcluster%252ftc-client-go%252ftests If temporary credentials in the creation chain should also be shown, both named and unnamed. This way, we have a audit trail of how the clientId came into existence.
Reporter | ||
Comment 1•8 years ago
|
||
s/If temporary/Temporary/ s/a audit trail/an audit trail/ :)
Comment 2•8 years ago
|
||
I'd rather just log this information to mozdef
Reporter | ||
Comment 3•8 years ago
|
||
Is that transparent, or can only taskcluster admins see it? I don't know what mozdef is. :)
Comment 4•8 years ago
|
||
Mozdef is the infrasec team's centralized logging system, and the right place for an audit trail. John was working on structured logging and feeding that to mozdef.
Comment 5•8 years ago
|
||
This seems to overlap with https://bugzilla.mozilla.org/show_bug.cgi?id=1264078
Comment 7•7 years ago
|
||
This is related to (and probably part of) part 2 of bug 1346013 I think.
Flags: needinfo?(bstack)
Reporter | ||
Comment 8•7 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #4) > Mozdef is the infrasec team's centralized logging system, and the right > place for an audit trail. John was working on structured logging and > feeding that to mozdef. We should also show this information in the web interface.
Comment 9•6 years ago
|
||
Closing as wontfix right now.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 10•6 years ago
|
||
(In reply to :Eli Perelman from comment #9) > Closing as wontfix right now. I see this as a key security feature, which not only helps trace abuses from unknown clients, but also helps inform people that operate the taskcluster platform about the validity of particular clients. For example, if I find a client with a strange name, I have no means to understand where that came from, who created it, whether it is actively used, and ultimately if it has been created by a bad actor. If I see a suspicious client, and I see it has been created by a client of dustin's, I can speak to him about him and ask if it is genuine. My concern is that if this information is buried in an auditing system I don't have access to, the ability to clean up clients during routine housekeeping is no longer possible. In real terms, I believe it means storing an extra field in the client when we create it, which would be the client that made the request. It looks to me like the client is created here: https://github.com/taskcluster/taskcluster-auth/blob/3c916ad24b6b18fde1323f9379641c7b64b823b6/src/v1.js#L212-L226 Even if we don't fix it in the UI for now, I think we should fix it in Auth. Reopening and moving to the auth component....
Status: RESOLVED → REOPENED
Component: Tools → Authentication
Resolution: WONTFIX → ---
Reporter | ||
Updated•6 years ago
|
Summary: Client Manager should show clientId creation (audit) chain → Permanent clients should store clientId (and issuer if temp credentials) of client that created them
Updated•6 years ago
|
Priority: -- → P5
Assignee | ||
Updated•5 years ago
|
Component: Authentication → Services
Comment 11•3 years ago
|
||
We now have good auditing of client creation, which suits the security requirements here.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 3 years ago
Resolution: --- → FIXED
Updated•3 years ago
|
Resolution: FIXED → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•