Closed Bug 1010620 Opened 11 years ago Closed 11 years ago

Secure artifacts

Categories

(Taskcluster :: General, defect)

Product:
Taskcluster
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jlal, Unassigned)

Details

Problem: A subset of our mozilla builds contain bits which cannot be distributed publicly... The content of these builds absolutely cannot be leaked (via changing flags on try, etc...) but artifacts from these builds must be stored (including symbols, etc...) and may later be made available to select users. Potential Solutions: "Know" (to be defined") that the task is "secure" and the signed artifact urls given to the task will go into a different secure bucket isolated from the other public task artifacts. Another side of this is the fact that most "secure" artifacts require "secure" images and both have similar issues of "who" can create these tasks.
With the new queue just deployed today (so now worker or scheduler works with it) this is now addressed. All artifacts are given a name and inorder to get the artifact you must have a permission on the form: `queue:get:artifact:<name>`, where <name> is the artifact name. Unless the artifact name starts with `public/` in which case no authentication is necessary. Note, permission scopes can end in "*", meaning the authorize all postfixes of the string. So we can give the scope `queue:get:artifact:private/~<username>/*` to any user... when we have users with usernames :)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Component: TaskCluster → General
Product: Testing → Taskcluster
Target Milestone: --- → mozilla41
Version: unspecified → Trunk
Resetting Version and Target Milestone that accidentally got changed...
Target Milestone: mozilla41 → ---
Version: Trunk → unspecified
You need to log in before you can comment on or make changes to this bug.