Closed
Bug 1137827
(tc-scope-lockdown)
Opened 9 years ago
Closed 8 years ago
[meta] Reduce the number of clients that get the '*' scope
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jonasfj, Assigned: dustin)
References
Details
We should absolutely reduce the number of clients that gets the "*" scope. It fine that some have scopes on the form: "<non-zero-prefix>*", as long as it's a non-zero prefix. There is a lot of places to reduce the scopes issued. I'm not super concerned with components like queue, provisioner, index, etc. a few of them legitimately needs the '*' scope, and for the other it's a configuration issue. However, we do place were we absolute should reduce scopes issue: 1) auth issues temporary credentials to <anyone>@mozilla.com with the "*" scope. (bug 1137740) 2) docker-worker currently has the "*" credentials for the authentication proxy. (bug 1137821) Please file bugs for any other scope reduction issues, this will be a meta-bug tracking efforts to tighten scope policies.
|
||
Updated•9 years ago
|
Component: TaskCluster → General
Product: Testing → Taskcluster
|
Reporter | |
Updated•9 years ago
|
Component: General → Authentication
|
Assignee | |
Comment 1•9 years ago
|
||
So here's what our current set of clientIds looks like, roughly divided by purpose. This is publicly accessible via API, btw.
TESTING
=======
-69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci
assume:client-id:-69R5nFgQhmFalR2J3y9pA
queue:create-task:test/test
queue:define-task:test/test
queue:claim-task
assume:worker-type:test/test
assume:worker-id:test/test
queue:report-task-completed
queue:resolve-task
queue:route:tc-treeherder-test*
queue:rerun-task
assume:scheduler-id:*
queue:route:test*
scheduler:*
----
-yX0fVeLQWWwZ8wS0DHz9Q - ### Imported: dummy-test-scheduler
Credentials for automatic testing of the task-graph scheduler against production queue.
These should not be leaked, but can be embedded as **encrypted** environment variables in things like `travis.yml`. Or stored in a local configuration file for testing the scheduler locally.
This is also used for testing `taskcluster-client`.
assume:client-id:-yX0fVeLQWWwZ8wS0DHz9Q
queue:define-task:dummy-test-provisioner/dummy-test-worker-type
queue:schedule-task
queue:claim-task
assume:worker-type:dummy-test-provisioner/dummy-test-worker-type
assume:worker-id:dummy-test-workergroup/dummy-test-worker-id
queue:report-task-completed
queue:rerun-task
assume:scheduler-id:dummy-test-scheduler/*
queue:resolve-task
----
DqpvW5MaS7SkHjYpe0hfrg - ### Imported: taskcluster-secrets-test-client
For testing taskcluster-secrets....
assume:client-id:DqpvW5MaS7SkHjYpe0hfrg
secrets:write
secrets:delete
secrets:github:ninethings:website:*
----
6uwU3ANNT0ed0UEyfG2W8w - ### Imported: dummy-index-test
Dummy used for testing `taskcluster-index`.
assume:client-id:6uwU3ANNT0ed0UEyfG2W8w
queue:create-task:dummy-test-provisioner/dummy-test-worker-type
queue:route:dummy-routes.index-testing.*
queue:claim-task
assume:worker-type:dummy-test-provisioner/dummy-test-worker-type
assume:worker-id:dummy-test-workergroup/dummy-test-worker-id
queue:report-task-completed
auth:azure-table-access:taskclusterdev/DummyTest*
queue:resolve-task
queue:create-artifact:public/dummy-test-provisioner.log
queue:create-artifact:private/dummy-test-provisioner.log
queue:get-artifact:private/dummy-test-provisioner.log
----
k-haeuv-RMuKmBXPuTDpiQ - ### Imported: travis test user for taskcluster-proxy
This user runs tests in travis-ci.org for github.com/taskcluster/taskcluster-proxy repo. The clientId and accessToken are provided as encrypted environment variables.
assume:client-id:k-haeuv-RMuKmBXPuTDpiQ
auth:inspect
auth:credentials
----
tc-hooks - Test user for taskcluster-hooks
assume:client-id:tc-hooks
----
tc-hooks-tests - Client for tc-hooks integration tests
assume:client-id:tc-hooks-tests
queue:create-task:no-provisioner/test-worker
assume:hook-id:tc-hooks-tests/tc-test-hook
jungle:tc-hooks-tests:scope/required/for/task/1
SERVICES
========
-ojkeT4cQ8iPqzfjX6YqPw - ### Imported: taskcluster-purge-cache
User for purge-cache service...
assume:client-id:-ojkeT4cQ8iPqzfjX6YqPw
auth:credentials
----
00F-p0pNSaSklX6COjCTHg - ### Imported: taskcluster-try
Taskcluster + Try handler
assume:client-id:00F-p0pNSaSklX6COjCTHg
queue:*
docker-worker:*
scheduler:*
----
0BI2Jg_ZSuCHg6bEyPdD9A - ### Imported: aws-provisioner2
jhford made this account for work on the new aws provisioner
*
----
5Svq_nEQSFCDnNNcPHj2sQ - ### Imported: buildbot-bridge
Credentials for the production instance of the Buildbot <-> Taskcluster Bridge. Original discussion of required permissions can be found in https://bugzilla.mozilla.org/show_bug.cgi?id=1164455.
assume:client-id:5Svq_nEQSFCDnNNcPHj2sQ
queue:claim-task
queue:create-artifact:*
queue:resolve-task
queue:rerun-task
queue:cancel-task
assume:worker-type:buildbot-bridge/buildbot-bridge
assume:worker-id:buildbot-bridge/buildbot-bridge
assume:scheduler-id:*
----
7J6dLK6WS4WIUCUmsMssYw - ### Imported: release runner dev
assume:client-id:7J6dLK6WS4WIUCUmsMssYw
queue:*
docker-worker:*
scheduler:*
signing:format:gpg
signing:format:mar
signing:cert:dep-signing
buildbot-bridge:builder-name:release-date*
----
G0ZVDgU7TNq6WgWCtEMQlg - ### Imported: dockerhost-r3xlarge-2
assume:client-id:G0ZVDgU7TNq6WgWCtEMQlg
queue:claim-task
auth:inspect
queue:report-task-completed
assume:worker-type:aws-provisioner/dockerhost-r3xlarge
assume:worker-id:*
queue:create-artifact:public/api.json
auth:credentials
queue:resolve-task
----
GZpee0SDRHm9fhYbaqKtuQ - ### Imported: crater
crater test service managed by Brian Anderson (:brson).
Contact: banderson@mozilla.com
*
----
HHb6HtDwQaS3dGdaa_j0ow - ### Imported: funsize scheduler
assume:client-id:HHb6HtDwQaS3dGdaa_j0ow
signing:*
scheduler:*
docker-worker:*
queue:*
----
I0o8H5AgRZWkj_jsDIepYQ - ### Imported: buildbot-bridge-dev
Credentials to use when running a dev instance of the Buildbot <-> Taskcluster Bridge.
assume:client-id:I0o8H5AgRZWkj_jsDIepYQ
queue:claim-task
queue:create-artifact:*
queue:resolve-task
queue:rerun-task
queue:cancel-task
assume:scheduler-id:*
assume:worker-type:buildbot-bridge/buildbot-bridge
assume:worker-id:buildbot-bridge/buildbot-bridge
----
KHa1Y5wARRGL8R6GAsgW3w - ### Imported: buildbot-try
Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP for try builds.
assume:client-id:KHa1Y5wARRGL8R6GAsgW3w
queue:create-task:*
queue:create-artifact:*
queue:report-task-completed
queue:route:*
queue:claim-task
assume:worker-type:null-provisioner/buildbot-try
assume:worker-id:buildbot-try/buildbot-try
queue:resolve-task
----
O6yB_zofTjCAjPSu4iYKoA - ### Imported: taskcluster-github
assume:client-id:O6yB_zofTjCAjPSu4iYKoA
assume:worker-type:test/test
assume:worker-id:test/test
assume:scheduler-id:*
scheduler:*
docker-worker:*
queue:*
----
Po0gCUk-Rx-OzBV_bcOkhQ - ### Imported: Docker Host g2
assume:client-id:Po0gCUk-Rx-OzBV_bcOkhQ
queue:claim-task
auth:inspect
queue:report-task-completed
assume:worker-type:aws-provisioner/dockerhost-g2
assume:worker-id:*
queue:create-artifact:public/api.json
auth:credentials
----
SUkfDCeyStmQbgu4f4yXCg - ### Imported: buildbot-staging
For staging buildbot builds to upload files.
assume:client-id:SUkfDCeyStmQbgu4f4yXCg
queue:create-task:*
queue:create-artifact:*
queue:report-task-completed
queue:claim-task
assume:worker-type:null-provisioner/buildbot
assume:worker-id:buildbot/buildbot
queue:resolve-task
queue:route:index.garbage.staging.*
----
SbTaWGCUSnG65E4dqLpxDQ - ### Imported: signingworker2
used to sign MAR files generated by Funsize
assume:client-id:SbTaWGCUSnG65E4dqLpxDQ
queue:claim-task
queue:create-artifact:*
queue:resolve-task
assume:worker-id:signing-worker-v1/*
assume:worker-type:signing-provisioner-v1/*
----
T9J-xA9JSUKQzfR99NRtMg - ### Imported: mozilla-pulse-actions
This client is to be used as part of pulse_actions in combination to mozci.
assume:client-id:T9J-xA9JSUKQzfR99NRtMg
queue:create-task:*
queue:define-task:*
docker-worker:cache:*
docker-worker:capability:*
docker-worker:image:*
tc-treeherder*
queue:route:*
scheduler:create-task-graph
scheduler:extend-task-graph
----
XJhrEh8MSG-34W5qQjRadQ - ### Imported: scheduler.taskcluster
Access credentials for `scheduler.taskcluster.net`. This is the production deployment of the task-graph scheduler.
*
----
XsQX5VRnSCi_gG1Fbby0AQ - ### Imported: testdroid-worker
*
----
_9TuTPNUSQKMW8wcMIsrxA - ### Imported: taskcluster-scheduler
Credentials for the prototype scheduler:
https://github.com/taskcluster/taskcluster-scheduler
assume:client-id:_9TuTPNUSQKMW8wcMIsrxA
queue:schedule-task
assume:scheduler-id:*
auth:azure-table-access:taskclusterdev/*
----
_rUyXCLtT0SSDw37PXFIFw - ### Imported: b2g-qa-jenkins
Makes QA's Jenkins being able to download Firefox OS builds. Owned by the Firefox OS QA team.
Point of contact: Johan Lorenzo
jlorenzo@mozilla.com
Issued in bug [1184935](https://bugzilla.mozilla.org/show_bug.cgi?id=1184935).
assume:client-id:_rUyXCLtT0SSDw37PXFIFw
queue:get-artifact:private/build/*
----
b2g-power-tests - jhylands runs a jenkins server for doing automated power tests on Firefox OS.
These credentials grants him access to download private artifacts for flame testing...
Owner: jhylands@mozilla.com
assume:client-id:b2g-power-tests
queue:get-artifact:private/build/*
----
eIy6aszeRQirIPOMwtOtqQ - ### Imported: mozilla-taskcluster
Integration for mozilla-taskcluster
assume:client-id:eIy6aszeRQirIPOMwtOtqQ
queue:*
docker-worker:*
scheduler:*
----
kd-b_FdrSJ-4Gr3FF4IOpA - ### Imported: github-taskcluster
*
----
pW4qm6B8SHGfpeUzUQ9dKg - ### Imported: old-aws-provisioner
old aws provisioner... this will go away...
Ask jonasfj or jhford if it's still alive...
assume:client-id:pW4qm6B8SHGfpeUzUQ9dKg
queue:pending-tasks:aws-provisioner/*
----
root - Automatically created `root` client for bootstrapping API access
*
----
tc-login - Credentials for login.taskcluster.net
Owner: jojensen@mozilla.com
assume:client-id:tc-login
assume:mozillians-user:*
assume:mozillians-group:*
assume:ldap-user:*
assume:ldap-group:*
----
tc-secrets - TaskCluster secrets service...
This service stores secrets and protects them with scopes, so people can't get access without the right scope.
Owner: mphillips@mozilla.com
Belongs to the [taskcluster-secrets heroku app](https://dashboard.heroku.com/apps/taskcluster-secrets).
assume:client-id:tc-secrets
auth:azure-table-access:taskclustersecretsv1/Secrets
----
v9h-Fo_fQ3yq_-MeH6dP6w - ### Imported: worker-ci-tests
assume:client-id:v9h-Fo_fQ3yq_-MeH6dP6w
scheduler:create-task-graph
queue:claim-task
assume:worker-id:worker-ci-test/*
queue:report-task-completed
queue:resolve-task
queue:rerun-task
assume:scheduler-id:*
queue:define-task:aws-provisioner-v1/worker-ci-test
queue:create-task:aws-provisioner-v1/worker-ci-test
assume:worker-type:aws-provisioner-v1/worker-ci-test
assume:worker-type:no-provisioning-nope/*
queue:create-task:no-provisioning-nope/*
queue:poll-task-urls
assume:worker-id:random-local-worker/*
queue:cancel-task
queue:define-task:no-provisioning-nope/*
scheduler:extend-task-graph:*
docker-worker:feature:*
docker-worker:cache:*
docker-worker:image:localhost*
docker-worker:capability:privileged
docker-worker:capability:device:*
aws-provisioner:create-secret
queue:get-artifact:private/docker-worker-tests/*
index:insert-task:garbage.docker-worker-tests.*
queue:create-artifact:public/*
queue:route:index.garbage.docker-worker-tests.*
queue:create-artifact:docker-worker-tests*
queue:create-artifact:private/docker-worker-tests*
queue:create-artifact:custom
queue:get-artifact:/private/docker-worker-tests/*
purge-cache:no-provisioning-nope*
----
vKlyNangR_m4pEgk7ajKEQ - ### Imported: dockerhost
assume:client-id:vKlyNangR_m4pEgk7ajKEQ
queue:claim-task
auth:inspect
queue:report-task-completed
assume:worker-id:*
queue:create-artifact:public/api.json
auth:credentials
assume:worker-type:aws-provisioner/dockerhost-r3-2xlarge
assume:worker-type:aws-provisioner/dockerhost-g2
assume:worker-type:aws-provisioner/dockerhost-r3xlarge
assume:worker-type:aws-provisioner/dockerhost-c3-2xlarge
assume:worker-type:aws-provisioner/dh-c4-2xlarge
queue:resolve-task
----
xPK1XrauRn6v2QNMMIAOKg - ### Imported: funsize dev
assume:client-id:xPK1XrauRn6v2QNMMIAOKg
signing:*
scheduler:*
docker-worker:*
queue:*
----
yHLBn3GaTY-SYhTnKw3X-Q - ### Imported: temporary-credentials
Client used to issue temporary credentials, list of scopes assigned to this client will given to all temporary credentials issued.
*
----
yMbwoZvhRout3T_Fr7h4Ng - ### Imported: index.taskcluster.net
Credentails for `index.taskcluster.net`
*
----
yvP37tZ_S52uOeZm-Ep4IA - ### Imported: buildbot
Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP.
assume:client-id:yvP37tZ_S52uOeZm-Ep4IA
queue:create-task:*
queue:create-artifact:*
queue:report-task-completed
queue:route:*
queue:claim-task
assume:worker-type:null-provisioner/buildbot
assume:worker-id:buildbot/buildbot
queue:resolve-task
PERSONAL
========
09tML-c8Tf6pYehxK8Rrpw - ### Imported: bhearsum
*
----
2NTE9AF4Qq2iNp_ZXan5DA - ### Imported: npark
npark@mozilla.com
See [bug 1196730](https://bugzilla.mozilla.org/show_bug.cgi?id=1196730)
for building b2g or something like that...
*
----
2YkrA35TSrCL9yOGDeW-Tg - ### Imported: jhford
for jhford for local testing only
*
----
2czfw97BQS6SvD-Q-F76Aw - ### Imported: jonasfj
Credentials for `jonasfj` to abuse...
*
----
7biq0sFcRqGYGJ9juATLJA - ### Imported: ffledgling
*
----
Bx-Vfe_rSQ2HOtZQviwl_A - ### Imported: sousmangoosta
This is a temporary account for a community contributor that was directed to taskcluster by kgrandon and gerard-majax,.
This should be removed later when we allow non @mozilla.com emails to get temporary credentials. Granted with same scopes as temp creds
Name: Ronald Claveau
email: sousmangoosta@ovh.fr
IRC: sousmangoosta
*
----
DyUwCUOlRJWAOm7OJJWg1g - ### Imported: garndt
Key for local abuse for garndt don't ship this
*
----
GFHNiUujSuu_MCDF1GWvvQ - ### Imported: raluca
Raluca is hacking on analysis framework for telemetry... if she finds time...
*
----
I3hNQRWhSnWA-s6WN5w1XA - ### Imported: amiyaguchi
amiyaguchi is an intern summer 2015 working on windows AMI setups.
*
----
JmhqKvaWTHmnxmRqoORBaA - ### Imported: brson
Brian Anderson
*
----
LY8eSq1WTb6qKMrWKGTvqw - ### Imported: Rob Thijssen
For playing around, and doing damage! :D
*
----
LvL_9Z2FQLa2gO-3AgCQ_A - ### Imported: selena
developer credentials for `selena@mozilla.com`
*
----
LvhIONB6TAKCeZsbmrImrA - ### Imported: gerard-majax
assume:client-id:LvhIONB6TAKCeZsbmrImrA
queue:*
scheduler:*
docker-worker:*
----
MC7GCZfURkCGO8rS9KxgTg - ### Imported: wcosta
Describe what this use is for...
*
----
N6l8rTzKRdCsLxXpboKNuw - ### Imported: jlund
jlund from releng
*
----
NJ3G1h8ARkGhekYPFYhmVw - ### Imported: liav
Credentials for Liav (`liav.koren@gmail.com`) a new contributor working on bug [1051561](https://bugzilla.mozilla.org/show_bug.cgi?id=1051561) and sub-bugs there of...
*
----
OXSb5WUVQk6STvKkCPitgw - ### Imported: EggyLv999
Edgar contracted intern...
*
----
QUUeaAazTAmU6F3Sc29zvQ - ### Imported: armenzg-testing
This is my set of credentials which does not have * scopes.
assume:client-id:QUUeaAazTAmU6F3Sc29zvQ
queue:create-task:*
queue:define-task:*
docker-worker:cache:*
docker-worker:capability:*
docker-worker:image:*
queue:route:*
scheduler:create-task-graph
scheduler:extend-task-graph:*
----
WX5WaEuzTwGh0Q-zpGSoWg - ### Imported: rwood
Describe what this use is for...
*
----
_XwhECl7T_WBWcOdRQFVkA - ### Imported: nullaus
null aus dev acess
*
----
a8298TjkQf2HyICZVkgEYA - ### Imported: lightsofapollo
Everything creds for abuse
Used to have `*` jonasfj removed these... leaving the client so we can re-activate it if we have to...
I doubt it's in use anywhere though...
assume:client-id:a8298TjkQf2HyICZVkgEYA
----
cVOkbX8TQu2UT7b-8VH0nA - ### Imported: mrrrgn
Morgan's access
*
----
gEGWgxqgRZSikNXkDr6Tbw - ### Imported: kgrandon
*
----
hkhwW8sQRFiau1ie1b29tQ - ### Imported: pmoore
Dev key used by Pete Moore (pmoore@mozilla.com).
*
----
i8RcQ9nuRe-Q7mpVGnaHJg - ### Imported: rail
master of the universe
*
----
iDpx218zTq6b8XoFMXssEw - ### Imported: dustin
credentials for dustin...
*
----
kZ3PctbtSLml6PHw5YzTOw - ### Imported: drs
taskcluster credentials for `drs`.
LDAP: `dsherk@mozilla.com`
*
----
l-a4R0PXR4uHijZ4i7-kgw - ### Imported: shako
Shako Ho, sho@mozilla.com
Is being shared with other developers...
*
----
onvEnjW7Su6-53I7UhfCdg - ### Imported: ted
Ted Mielczarek, tmielczarek@mozilla.com
*
----
sldk46fxR2CdSbiw2OR-4Q - ### Imported: autolander-dev
Autolander. For questions, ping kgrandon@mozilla.com
*
----
swn2Eg-pRu2h0ec3uNI9AQ - ### Imported: queue.taskcluster.net
Credentails for `queue.taskcluster.net`
*
----
u5Abj86VRsGmiagy6aO7Yw - ### Imported: mshal
mshal testing
*
----
wQjAUsPgQ-OKuU8RWsz8tg - ### Imported: nhirata
Credentials for nhirata
*
----
xMWxCdJpSriDz7zp7uFo8Q - ### Imported: armenzg
Armen's testing account
*
----
xu9LzAXBTRW8d3x_6Q-wCA - ### Imported: mihneadb
This is a temporary account for a community contributor.
Created by: garndt
Name: Mihnea Dobrescu-Balaur
Email: mihnea@linux.com
*
----
ycAM1VLgRA-677YJBT1K1w - ### Imported: russn
Local key for russ to play with
*|
|
Assignee | |
Comment 2•9 years ago
|
||
I'll set aside the "personal" creds for now -- we can fix that when tc-login is deployed. Most of the "testing" clients are OK. > TESTING > ======= > > -69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci > assume:client-id:-69R5nFgQhmFalR2J3y9pA > queue:create-task:test/test > queue:define-task:test/test > queue:claim-task > assume:worker-type:test/test > assume:worker-id:test/test > queue:report-task-completed > queue:resolve-task > queue:route:tc-treeherder-test* > queue:rerun-task > assume:scheduler-id:* > queue:route:test* > scheduler:* scheduler:* is too broad - should be scheduler:create-task-graph. bug 1218476 Note, too, that auth:credentials no longer counts for anything; so seeing that here isn't scary (although it suggests the creds need to be edited) That just leaves sevices.
|
|
||
Updated•9 years ago
|
Alias: tc-scope-lockdown
|
||
Updated•9 years ago
|
Summary: [meta] Reduce number of clients that gets the '*' scope → [meta] Reduce the number of clients that get the '*' scope
|
|
Assignee | |
Updated•9 years ago
|
|
|
Assignee | |
Comment 3•8 years ago
|
||
I'm calling this done -- the scheduler scopes are not * anymore, but are still fairly broad. Those will get narrowed when the new big-graph scheduler is done.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•