Closed Bug 1258445 Opened 8 years ago Closed 3 years ago

Permanent clients should store clientId (and issuer if temp credentials) of client that created them

Categories

(Taskcluster :: Services, defect, P5)

Product:
Taskcluster
Component:
Services
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pmoore, Unassigned)

Details

For example, if

  * clientId <B> is created from clientId <A>
  * clientId <C> is created from clientId <B>

then when viewing clientId <C>, it would be useful to see it was created from clientId <B>, which in turn was created from clientId <A>.

A real example is that clientId "project/taskcluster/tc-client-go/tests" was created from clientId "mozilla-ldap/pmoore@mozilla.com" (I believe).

This chain should be shown, in this example, on this page:
  * https://tools.taskcluster.net/auth/clients/#project%252ftaskcluster%252ftc-client-go%252ftests

If temporary credentials in the creation chain should also be shown, both named and unnamed.

This way, we have a audit trail of how the clientId came into existence.
s/If temporary/Temporary/
s/a audit trail/an audit trail/

:)
I'd rather just log this information to mozdef
Is that transparent, or can only taskcluster admins see it? I don't know what mozdef is. :)
Mozdef is the infrasec team's centralized logging system, and the right place for an audit trail.  John was working on structured logging and feeding that to mozdef.
Brian, do you think our audit logs cover this?
Flags: needinfo?(bstack)
This is related to (and probably part of) part 2 of bug 1346013 I think.
Flags: needinfo?(bstack)
(In reply to Dustin J. Mitchell [:dustin] from comment #4)
> Mozdef is the infrasec team's centralized logging system, and the right
> place for an audit trail.  John was working on structured logging and
> feeding that to mozdef.

We should also show this information in the web interface.
Closing as wontfix right now.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
(In reply to :Eli Perelman from comment #9)
> Closing as wontfix right now.

I see this as a key security feature, which not only helps trace abuses from unknown clients, but also helps inform people that operate the taskcluster platform about the validity of particular clients. For example, if I find a client with a strange name, I have no means to understand where that came from, who created it, whether it is actively used, and ultimately if it has been created by a bad actor.

If I see a suspicious client, and I see it has been created by a client of dustin's, I can speak to him about him and ask if it is genuine. My concern is that if this information is buried in an auditing system I don't have access to, the ability to clean up clients during routine housekeeping is no longer possible.

In real terms, I believe it means storing an extra field in the client when we create it, which would be the client that made the request. It looks to me like the client is created here: https://github.com/taskcluster/taskcluster-auth/blob/3c916ad24b6b18fde1323f9379641c7b64b823b6/src/v1.js#L212-L226 

Even if we don't fix it in the UI for now, I think we should fix it in Auth. Reopening and moving to the auth component....
Status: RESOLVED → REOPENED
Component: Tools → Authentication
Resolution: WONTFIX → ---
Summary: Client Manager should show clientId creation (audit) chain → Permanent clients should store clientId (and issuer if temp credentials) of client that created them
Priority: -- → P5
Component: Authentication → Services

We now have good auditing of client creation, which suits the security requirements here.

Status: REOPENED → RESOLVED
Closed: 6 years ago3 years ago
Resolution: --- → FIXED
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.