Closed Bug 1137740 Opened 10 years ago Closed 9 years ago

Auth: Stricter scope policy when auth.taskcluster.net issues temporary credentials to <anyone>@mozilla.com

Categories

(Taskcluster :: General, defect)

Product:
Taskcluster
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rail, Assigned: dustin)

References

Details

Attachments

(1 file)

github PR
54 bytes, text/x-github-pull-request
jhford
: review+
Details | Review
Anyone with @mozilla.com account can create credentials with "*" scope. This is not ideal for some sensitive tasks, like signing. It would be great if we can limit this and revoke all * scopes.
We've been talking about this for a while. The scopes issued to <anyone>@mozilla.com is an obvious problem. But there is a lot of other places we can and should avoid handing out the '*' scope. I've filed bug 1137827 as meta-bug for tracking all scope reduction work.
Summary: Stricter scope policy → Auth: Stricter scope policy when auth.taskcluster.net issues temporary credentials to <anyone>@mozilla.com
Blocks: 1149147
Attached file github PR
Should be a quick review... Sorry the diff is a bit messed up, indentation... Note, self defined "auth_clientIdForTempCreds" before you merge and/or deploy this...
Assignee: nobody → jopsen
Status: NEW → ASSIGNED
Attachment #8593679 - Flags: review?(jhford)
Comment on attachment 8593679 [details] [review] github PR This looks good to me! I'll let you merge it as I don't want to break anything whist deploying.
Attachment #8593679 - Flags: review?(jhford) → review+
Temporary credentials are now issued using the "yHLBn3GaTY-SYhTnKw3X-Q" user. called "temporary-credentials" we can now restrict which scopes it has in the UI.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Component: TaskCluster → General
Product: Testing → Taskcluster
Target Milestone: --- → mozilla41
Version: unspecified → Trunk
Resetting Version and Target Milestone that accidentally got changed...
Target Milestone: mozilla41 → ---
Version: Trunk → unspecified
(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #4) > Temporary credentials are now issued using the "yHLBn3GaTY-SYhTnKw3X-Q" user. > called "temporary-credentials" we can now restrict which scopes it has in > the UI. ..and yet we didn't do that, so this isn't really resolved!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
When bug 1203659 lands, this will no longer be the case, and the credential in comment 4 should be deleted.
Depends on: 1203659
Looking forward to a time when taskcluster-login is deployed, I'm going to start creating some group-related roles and assuming those roles from this credential.
I added the following as a rough draft: 'client-id:yHLBn3GaTY-SYhTnKw3X-Q': [ # temporary credentials 'assume:moz-ldap-group:scm_level_3', 'assume:moz-ldap-group:team_moco', '*', # XXX ], 'moz-ldap-group:releng': [ 'scheduler:*', 'queue:*', 'docker-worker:*', 'buildbot-bridge:*', 'signing:*', 'releng:*', ], 'moz-ldap-group:scm_level_1': [ 'assume:moz-tree:level:1', ], 'moz-ldap-group:scm_level_2': [ 'assume:moz-tree:level:2', ], 'moz-ldap-group:scm_level_3': [ 'assume:moz-tree:level:3', ], 'moz-ldap-group:team_moco': [ 'auth:create-role:*', 'auth:update-role:*', ], 'moz-ldap-group:team_taskcluster': [ 'auth:create-client:*', 'auth:create-role:*', 'auth:delete-client:*', 'auth:delete-role:*', 'auth:update-client:*', 'auth:update-role:*', '*', ], 'moz-ldap-group:team_relops': [ 'assume:moz-ldap-group:releng', ], I'm worried that removing `*` will invalidate any existing temp creds. I'll verify that it does, then ponder how to roll this out.
Yes, after removing `*`, anything that requires scopes results in "ext.issuer does not have sufficient scopes" or something like that. Which isn't such a big deal -- most day-to-day activities (task inspector, task-graph-inspector) don't require scopes so they continue to work fine. That said, we very much want to invalidate these temporary credentials, since they are good for 1000 years (literally). Also, the temp credentials are granted using `{scopes: client.expandScopes()}` which means that the temp credentials don't automatically adjust as roles are modified. Instead, if a role shrinks (e.g., we remove `auth:create-task:<some unused worker>` from a role), all temp credentials with that role become completely invalid. If a role expands, the temporary credentials do not satisfy the newly added scopes. I'll propose a small modification to tc-auth to handle this case, even though tc-login will result in removing this code entirely. Once the change has landed, we can remove the `*` scope above.
@dustin, there were never good for 1000 years... The date is in ms. they are currently good for 31 days. And no server will accept temp creds with expiry over 31 days. We check this on the server for every request: https://github.com/taskcluster/taskcluster-base/blob/5883272d75cd7f508b9542a147e6af589b4115cc/api.js#L790-L792
Haha, yes, you're right. I've forgotten JS's affinity for ms more times than I care to discuss.
Depends on: 1221617
OK, we're agreed that the plan is: * land and deploy #25 * modify client-id:yHLBn3GaTY-SYhTnKw3X-Q to remove '*' * this will immediately invalidate all existing temp creds, so people will re-auth After this, the temp creds will have scopes `["assume:client-id:yHLBn3GaTY-SYhTnKw3X-Q"]`, so whatever scopes that clientId has will be immediately available or unavailable to all temp creds.
Assignee: jopsen → dustin
Done and done. I verified I can still create a new task with a new temp cred.
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: