Closed Bug 1119241 Opened 9 years ago Closed 9 years ago

Generate an auth key for RelEng build machines to use for symbol upload

Categories

(Socorro :: General, task)

x86_64
Linux
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ted, Unassigned)

References

Details

We want RelEng build machines uploading symbols using the symbol upload API, but they need an auth key. Since these aren't a single user I don't know what the process is here. Presumably someone could just log in with Persona and generate one for their account, but is that what we want to do? (Or should we just do that as a stopgap until we split the symbol upload api out of Socorro and it gets its own non-persona auth?)
An immediate problem is that API tokens are hardcoded to expire after 3 months. That makes it quite hard for an individual to create a token once and forget about it. 
An easy solution to that is to have the API creation tool in the admin panel as a superuser activity to create API tokens without any restrictions. 

With regards to "split the symbol upload api out of Socorro" I'm not entirely sure I understand but don't see this as being a necessary or feasible thing to do. We are going to change the inside of the Symbols Upload API (we're going to post symbols straight from Django's tmp storage to S3 in one sweep) but that shouldn't affect any of the "external" functionality.
To mention explicitly, SeaMonkey will need our own (seperate) key generated using whatever method works for MoCo/Firefox
(In reply to Peter Bengtsson [:peterbe] from comment #1)
> An immediate problem is that API tokens are hardcoded to expire after 3
> months. That makes it quite hard for an individual to create a token once
> and forget about it. 
> An easy solution to that is to have the API creation tool in the admin panel
> as a superuser activity to create API tokens without any restrictions. 

That is unfortunate. Should we file a separate bug on that?

> With regards to "split the symbol upload api out of Socorro" I'm not
> entirely sure I understand but don't see this as being a necessary or
> feasible thing to do. We are going to change the inside of the Symbols
> Upload API (we're going to post symbols straight from Django's tmp storage
> to S3 in one sweep) but that shouldn't affect any of the "external"
> functionality.

This was just something lonnen and rhelmer had mentioned as a possibility, don't read too much into it. :)
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #3)
> (In reply to Peter Bengtsson [:peterbe] from comment #1)
> > An immediate problem is that API tokens are hardcoded to expire after 3
> > months. That makes it quite hard for an individual to create a token once
> > and forget about it. 
> > An easy solution to that is to have the API creation tool in the admin panel
> > as a superuser activity to create API tokens without any restrictions. 
> 
> That is unfortunate. Should we file a separate bug on that?
> 
https://bugzilla.mozilla.org/show_bug.cgi?id=1119347

> > With regards to "split the symbol upload api out of Socorro" I'm not
> > entirely sure I understand but don't see this as being a necessary or
> > feasible thing to do. We are going to change the inside of the Symbols
> > Upload API (we're going to post symbols straight from Django's tmp storage
> > to S3 in one sweep) but that shouldn't affect any of the "external"
> > functionality.
> 
> This was just something lonnen and rhelmer had mentioned as a possibility,
> don't read too much into it. :)

Because my brain capacity is so limited, let's attack this whole bug one thing at a time. We'll figure out the token part first and worry about the monolith-explosion much later.
Depends on: 1119347
Okay, so peterbe says the next steps are:
<peterbe> ted: No, they just need to sign in [to crash-stats] once and file a bug for lonnen to be given permissions. 
<ted> okay, great
<peterbe> Once he's done that someone can generate the token for them. 

Callek, can you do this bit?
Flags: needinfo?(bugspam.Callek)
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #5)
> Okay, so peterbe says the next steps are:
> <peterbe> ted: No, they just need to sign in [to crash-stats] once and file
> a bug for lonnen to be given permissions. 
> <ted> okay, great
> <peterbe> Once he's done that someone can generate the token for them. 

I've logged into crash-stats. What permissions do I need to ask lonnen for?
Flags: needinfo?(bugspam.Callek)
Depends on: 1123891
(In reply to Chris Cooper [:coop] from comment #6)
> (In reply to Ted Mielczarek [:ted.mielczarek] from comment #5)
> > Okay, so peterbe says the next steps are:
> > <peterbe> ted: No, they just need to sign in [to crash-stats] once and file
> > a bug for lonnen to be given permissions. 
> > <ted> okay, great
> > <peterbe> Once he's done that someone can generate the token for them. 
> 
> I've logged into crash-stats. What permissions do I need to ask lonnen for?

The permission is called "Upload Symbols Files"
catlee was interested in figuring out if we could use an alias like release@mozilla.com to avoid a dependency on a single person. If someone wants to see if that is workable I am amenable to that. It's just a matter of trying to log in with Persona using that alias. If you can do that then we can use it for Socorro auth.
Flags: needinfo?(catlee)
haven't figured out how to do this yet :(
Flags: needinfo?(catlee)
I have the token now. 

AFAICT the token doesn't require any extra user info for use. You just include it as a header and you're golden. This will make it easier to rev the token in the future because anyone on releng can create a new token and replace the existing one, assuming we don't get a longer-lived token at some point.

Where should I put the token so that other people can start using it?
I think we have one too many bugs here. Let's handle this in bug 1119238.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.