Closed Bug 1288051 Opened 8 years ago Closed 7 years ago

Roles: provide a mechanism to search for roles that satisfy a given scope

Categories

(Taskcluster :: UI, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pmoore, Unassigned)

Details

Given a scope, optionally with a trailing '*', it should be possible to find all roles that provide that scope either directly or indirectly via expanded scopes.

Personally I prefer creating an endpoint to provide this functionality so that tools can use this feature, rather than just interactive-users via a web interface. Also creating an endpoint rather than a client-side tool means the implementation can be much more efficient than requiring all roles to be transmitted over http and scopes expanded. Lastly it encourages consistency, since there would be only one canonical implementation.

Ideally we'd create an endpoint that takes a list of scopes, and for each scope provided, returns a list of roles that satisfy that scope. We should also then provide a means to hit this endpoint via tools.taskcluster.net web interface on the roles page.
I don't think this should be in the auth service -- it's complicated enough already, and all of the information required to determine this is already easily available.  I think this should be implemented client-side, preferably in tcadmin.  Something like

  tcadmin has-scope 'aws-provisioner:manage-worker-type:garbage-*'

ideally this would scan both clients and roles.  The listRoles endpoint provides expanded role scopes, making this pretty lightweight.

There's some complexity with the implementation, and a little ambiguity of meaning around * expansion in roles, but nothing too difficult.
Indeed, good eye!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Tools → UI and Tools
You need to log in before you can comment on or make changes to this bug.