Bug 1137827 (tc-scope-lockdown)

[meta] Reduce the number of clients that get the '*' scope

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: jonasfj, Assigned: dustin)

Tracking

Details

(Reporter)

Description

4 years ago
We should absolutely reduce the number of clients that gets the "*" scope.
It fine that some have scopes on the form: "<non-zero-prefix>*", as long as
it's a non-zero prefix.

There is a lot of places to reduce the scopes issued. I'm not super concerned
with components like queue, provisioner, index, etc. a few of them legitimately
needs the '*' scope, and for the other it's a configuration issue.

However, we do place were we absolute should reduce scopes issue:
1) auth issues temporary credentials to <anyone>@mozilla.com with the "*" scope.
   (bug 1137740)
2) docker-worker currently has the "*" credentials for the authentication proxy.
   (bug 1137821)

Please file bugs for any other scope reduction issues, this will be a meta-bug
tracking efforts to tighten scope policies.
(Reporter)

Updated

3 years ago
Depends on: 1156404
(Reporter)

Updated

3 years ago
Depends on: 1159979
(Reporter)

Updated

3 years ago
Depends on: 1164455
Component: TaskCluster → General
Product: Testing → Taskcluster
(Reporter)

Updated

3 years ago
Component: General → Authentication
Assignee: nobody → dustin
Depends on: 1203659
Depends on: 1216306
So here's what our current set of clientIds looks like, roughly divided by purpose.  This is publicly accessible via API, btw.

TESTING
=======

-69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci
    assume:client-id:-69R5nFgQhmFalR2J3y9pA
    queue:create-task:test/test
    queue:define-task:test/test
    queue:claim-task
    assume:worker-type:test/test
    assume:worker-id:test/test
    queue:report-task-completed
    queue:resolve-task
    queue:route:tc-treeherder-test*
    queue:rerun-task
    assume:scheduler-id:*
    queue:route:test*
    scheduler:*
----
-yX0fVeLQWWwZ8wS0DHz9Q - ### Imported: dummy-test-scheduler
                         Credentials for automatic testing of the task-graph scheduler against production queue.
                         These should not be leaked, but can be embedded as **encrypted** environment variables in things like `travis.yml`. Or stored in a local configuration file for testing the scheduler locally.
                         This is also used for testing `taskcluster-client`.
    assume:client-id:-yX0fVeLQWWwZ8wS0DHz9Q
    queue:define-task:dummy-test-provisioner/dummy-test-worker-type
    queue:schedule-task
    queue:claim-task
    assume:worker-type:dummy-test-provisioner/dummy-test-worker-type
    assume:worker-id:dummy-test-workergroup/dummy-test-worker-id
    queue:report-task-completed
    queue:rerun-task
    assume:scheduler-id:dummy-test-scheduler/*
    queue:resolve-task
----
DqpvW5MaS7SkHjYpe0hfrg - ### Imported: taskcluster-secrets-test-client
                         For testing taskcluster-secrets....
    assume:client-id:DqpvW5MaS7SkHjYpe0hfrg
    secrets:write
    secrets:delete
    secrets:github:ninethings:website:*
----
6uwU3ANNT0ed0UEyfG2W8w - ### Imported: dummy-index-test
                         Dummy used for testing `taskcluster-index`.
    assume:client-id:6uwU3ANNT0ed0UEyfG2W8w
    queue:create-task:dummy-test-provisioner/dummy-test-worker-type
    queue:route:dummy-routes.index-testing.*
    queue:claim-task
    assume:worker-type:dummy-test-provisioner/dummy-test-worker-type
    assume:worker-id:dummy-test-workergroup/dummy-test-worker-id
    queue:report-task-completed
    auth:azure-table-access:taskclusterdev/DummyTest*
    queue:resolve-task
    queue:create-artifact:public/dummy-test-provisioner.log
    queue:create-artifact:private/dummy-test-provisioner.log
    queue:get-artifact:private/dummy-test-provisioner.log 
----
k-haeuv-RMuKmBXPuTDpiQ - ### Imported: travis test user for taskcluster-proxy
                         This user runs tests in travis-ci.org for github.com/taskcluster/taskcluster-proxy repo. The clientId and accessToken are provided as encrypted environment variables.
    assume:client-id:k-haeuv-RMuKmBXPuTDpiQ
    auth:inspect
    auth:credentials
----
tc-hooks - Test user for taskcluster-hooks
    assume:client-id:tc-hooks
----
tc-hooks-tests - Client for tc-hooks integration tests
    assume:client-id:tc-hooks-tests
    queue:create-task:no-provisioner/test-worker
    assume:hook-id:tc-hooks-tests/tc-test-hook
    jungle:tc-hooks-tests:scope/required/for/task/1

SERVICES
========

-ojkeT4cQ8iPqzfjX6YqPw - ### Imported: taskcluster-purge-cache
                         User for purge-cache service...
    assume:client-id:-ojkeT4cQ8iPqzfjX6YqPw
    auth:credentials
----
00F-p0pNSaSklX6COjCTHg - ### Imported: taskcluster-try
                         Taskcluster + Try handler
    assume:client-id:00F-p0pNSaSklX6COjCTHg
    queue:*
    docker-worker:*
    scheduler:*
----
0BI2Jg_ZSuCHg6bEyPdD9A - ### Imported: aws-provisioner2
                         jhford made this account for work on the new aws provisioner
    *
----
5Svq_nEQSFCDnNNcPHj2sQ - ### Imported: buildbot-bridge
                         Credentials for the production instance of the Buildbot <-> Taskcluster Bridge. Original discussion of required permissions can be found in https://bugzilla.mozilla.org/show_bug.cgi?id=1164455.
    assume:client-id:5Svq_nEQSFCDnNNcPHj2sQ
    queue:claim-task
    queue:create-artifact:*
    queue:resolve-task
    queue:rerun-task
    queue:cancel-task
    assume:worker-type:buildbot-bridge/buildbot-bridge
    assume:worker-id:buildbot-bridge/buildbot-bridge
    assume:scheduler-id:*
----
7J6dLK6WS4WIUCUmsMssYw - ### Imported: release runner dev
                         assume:client-id:7J6dLK6WS4WIUCUmsMssYw
    queue:*
    docker-worker:*
    scheduler:*
    signing:format:gpg
    signing:format:mar
    signing:cert:dep-signing
    buildbot-bridge:builder-name:release-date*
----
G0ZVDgU7TNq6WgWCtEMQlg - ### Imported: dockerhost-r3xlarge-2
    assume:client-id:G0ZVDgU7TNq6WgWCtEMQlg
    queue:claim-task
    auth:inspect
    queue:report-task-completed
    assume:worker-type:aws-provisioner/dockerhost-r3xlarge
    assume:worker-id:*
    queue:create-artifact:public/api.json
    auth:credentials
    queue:resolve-task
----
GZpee0SDRHm9fhYbaqKtuQ - ### Imported: crater
                         crater test service managed by Brian Anderson (:brson).
                         Contact: banderson@mozilla.com
    *
----
HHb6HtDwQaS3dGdaa_j0ow - ### Imported: funsize scheduler
    assume:client-id:HHb6HtDwQaS3dGdaa_j0ow
    signing:*
    scheduler:*
    docker-worker:*
    queue:*
----
I0o8H5AgRZWkj_jsDIepYQ - ### Imported: buildbot-bridge-dev
                         Credentials to use when running a dev instance of the Buildbot <-> Taskcluster Bridge.
    assume:client-id:I0o8H5AgRZWkj_jsDIepYQ
    queue:claim-task
    queue:create-artifact:*
    queue:resolve-task
    queue:rerun-task
    queue:cancel-task
    assume:scheduler-id:*
    assume:worker-type:buildbot-bridge/buildbot-bridge
    assume:worker-id:buildbot-bridge/buildbot-bridge
----
KHa1Y5wARRGL8R6GAsgW3w - ### Imported: buildbot-try
                         Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP for try builds.
    assume:client-id:KHa1Y5wARRGL8R6GAsgW3w
    queue:create-task:*
    queue:create-artifact:*
    queue:report-task-completed
    queue:route:*
    queue:claim-task
    assume:worker-type:null-provisioner/buildbot-try
    assume:worker-id:buildbot-try/buildbot-try
    queue:resolve-task
----
O6yB_zofTjCAjPSu4iYKoA - ### Imported: taskcluster-github
    assume:client-id:O6yB_zofTjCAjPSu4iYKoA
    assume:worker-type:test/test
    assume:worker-id:test/test
    assume:scheduler-id:*
    scheduler:*
    docker-worker:*
    queue:*
----
Po0gCUk-Rx-OzBV_bcOkhQ - ### Imported: Docker Host g2
    assume:client-id:Po0gCUk-Rx-OzBV_bcOkhQ
    queue:claim-task
    auth:inspect
    queue:report-task-completed
    assume:worker-type:aws-provisioner/dockerhost-g2
    assume:worker-id:*
    queue:create-artifact:public/api.json
    auth:credentials
----
SUkfDCeyStmQbgu4f4yXCg - ### Imported: buildbot-staging
                         For staging buildbot builds to upload files.
    assume:client-id:SUkfDCeyStmQbgu4f4yXCg
    queue:create-task:*
    queue:create-artifact:*
    queue:report-task-completed
    queue:claim-task
    assume:worker-type:null-provisioner/buildbot
    assume:worker-id:buildbot/buildbot
    queue:resolve-task
    queue:route:index.garbage.staging.*
----
SbTaWGCUSnG65E4dqLpxDQ - ### Imported: signingworker2
                         used to sign MAR files generated by Funsize 
    assume:client-id:SbTaWGCUSnG65E4dqLpxDQ
    queue:claim-task
    queue:create-artifact:*
    queue:resolve-task
    assume:worker-id:signing-worker-v1/*
    assume:worker-type:signing-provisioner-v1/*
----
T9J-xA9JSUKQzfR99NRtMg - ### Imported: mozilla-pulse-actions
                         This client is to be used as part of pulse_actions in combination to mozci.
    assume:client-id:T9J-xA9JSUKQzfR99NRtMg
    queue:create-task:*
    queue:define-task:*
    docker-worker:cache:*
    docker-worker:capability:*
    docker-worker:image:*
    tc-treeherder*
    queue:route:*
    scheduler:create-task-graph
    scheduler:extend-task-graph
----
XJhrEh8MSG-34W5qQjRadQ - ### Imported: scheduler.taskcluster
                         Access credentials for `scheduler.taskcluster.net`. This is the production deployment of the task-graph scheduler.
    *
----
XsQX5VRnSCi_gG1Fbby0AQ - ### Imported: testdroid-worker
    *
----
_9TuTPNUSQKMW8wcMIsrxA - ### Imported: taskcluster-scheduler
                         Credentials for the prototype scheduler:
                         https://github.com/taskcluster/taskcluster-scheduler
    assume:client-id:_9TuTPNUSQKMW8wcMIsrxA
    queue:schedule-task
    assume:scheduler-id:*
    auth:azure-table-access:taskclusterdev/*
----
_rUyXCLtT0SSDw37PXFIFw - ### Imported: b2g-qa-jenkins
                         Makes QA's Jenkins being able to download Firefox OS builds. Owned by the Firefox OS QA team.
                         Point of contact: Johan Lorenzo
                         jlorenzo@mozilla.com
                         Issued in bug [1184935](https://bugzilla.mozilla.org/show_bug.cgi?id=1184935).
    assume:client-id:_rUyXCLtT0SSDw37PXFIFw
    queue:get-artifact:private/build/*
----
b2g-power-tests - jhylands runs a jenkins server for doing automated power tests on Firefox OS.
                  These credentials grants him access to download private artifacts for flame testing...
                  Owner: jhylands@mozilla.com
    assume:client-id:b2g-power-tests
    queue:get-artifact:private/build/*
----
eIy6aszeRQirIPOMwtOtqQ - ### Imported: mozilla-taskcluster
                         Integration for mozilla-taskcluster
    assume:client-id:eIy6aszeRQirIPOMwtOtqQ
    queue:*
    docker-worker:*
    scheduler:*
----
kd-b_FdrSJ-4Gr3FF4IOpA - ### Imported: github-taskcluster
    *
----
pW4qm6B8SHGfpeUzUQ9dKg - ### Imported: old-aws-provisioner
                         old aws provisioner... this will go away...
                         Ask jonasfj or jhford if it's still alive...
    assume:client-id:pW4qm6B8SHGfpeUzUQ9dKg
    queue:pending-tasks:aws-provisioner/*
----
root - Automatically created `root` client for bootstrapping API access
    *
----
tc-login - Credentials for login.taskcluster.net
           Owner: jojensen@mozilla.com
    assume:client-id:tc-login
    assume:mozillians-user:*
    assume:mozillians-group:*
    assume:ldap-user:*
    assume:ldap-group:*
----
tc-secrets - TaskCluster secrets service...
             This service stores secrets and protects them with scopes, so people can't get access without the right scope.
             Owner: mphillips@mozilla.com
             Belongs to the [taskcluster-secrets heroku app](https://dashboard.heroku.com/apps/taskcluster-secrets).
    assume:client-id:tc-secrets
    auth:azure-table-access:taskclustersecretsv1/Secrets
----
v9h-Fo_fQ3yq_-MeH6dP6w - ### Imported: worker-ci-tests
    assume:client-id:v9h-Fo_fQ3yq_-MeH6dP6w
    scheduler:create-task-graph
    queue:claim-task
    assume:worker-id:worker-ci-test/*
    queue:report-task-completed
    queue:resolve-task
    queue:rerun-task
    assume:scheduler-id:*
    queue:define-task:aws-provisioner-v1/worker-ci-test
    queue:create-task:aws-provisioner-v1/worker-ci-test
    assume:worker-type:aws-provisioner-v1/worker-ci-test
    assume:worker-type:no-provisioning-nope/*
    queue:create-task:no-provisioning-nope/*
    queue:poll-task-urls
    assume:worker-id:random-local-worker/*
    queue:cancel-task
    queue:define-task:no-provisioning-nope/*
    scheduler:extend-task-graph:*
    docker-worker:feature:*
    docker-worker:cache:*
    docker-worker:image:localhost*
    docker-worker:capability:privileged
    docker-worker:capability:device:*
    aws-provisioner:create-secret
    queue:get-artifact:private/docker-worker-tests/*
    index:insert-task:garbage.docker-worker-tests.*
    queue:create-artifact:public/*
    queue:route:index.garbage.docker-worker-tests.*
    queue:create-artifact:docker-worker-tests*
    queue:create-artifact:private/docker-worker-tests*
    queue:create-artifact:custom
    queue:get-artifact:/private/docker-worker-tests/*
    purge-cache:no-provisioning-nope*
----
vKlyNangR_m4pEgk7ajKEQ - ### Imported: dockerhost
    assume:client-id:vKlyNangR_m4pEgk7ajKEQ
    queue:claim-task
    auth:inspect
    queue:report-task-completed
    assume:worker-id:*
    queue:create-artifact:public/api.json
    auth:credentials
    assume:worker-type:aws-provisioner/dockerhost-r3-2xlarge
    assume:worker-type:aws-provisioner/dockerhost-g2
    assume:worker-type:aws-provisioner/dockerhost-r3xlarge
    assume:worker-type:aws-provisioner/dockerhost-c3-2xlarge
    assume:worker-type:aws-provisioner/dh-c4-2xlarge
    queue:resolve-task
----
xPK1XrauRn6v2QNMMIAOKg - ### Imported: funsize dev
    assume:client-id:xPK1XrauRn6v2QNMMIAOKg
    signing:*
    scheduler:*
    docker-worker:*
    queue:*
----
yHLBn3GaTY-SYhTnKw3X-Q - ### Imported: temporary-credentials
                         Client used to issue temporary credentials, list of scopes assigned to this client will given to all temporary credentials issued.
    *
----
yMbwoZvhRout3T_Fr7h4Ng - ### Imported: index.taskcluster.net
                         Credentails for `index.taskcluster.net`
    *
----
yvP37tZ_S52uOeZm-Ep4IA - ### Imported: buildbot
                         Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP.
    assume:client-id:yvP37tZ_S52uOeZm-Ep4IA
    queue:create-task:*
    queue:create-artifact:*
    queue:report-task-completed
    queue:route:*
    queue:claim-task
    assume:worker-type:null-provisioner/buildbot
    assume:worker-id:buildbot/buildbot
    queue:resolve-task

PERSONAL
========

09tML-c8Tf6pYehxK8Rrpw - ### Imported: bhearsum
    *
----
2NTE9AF4Qq2iNp_ZXan5DA - ### Imported: npark
                         npark@mozilla.com
                         See [bug 1196730](https://bugzilla.mozilla.org/show_bug.cgi?id=1196730)
                         for building b2g or something like that...
    *
----
2YkrA35TSrCL9yOGDeW-Tg - ### Imported: jhford
                         for jhford for local testing only
    *
----
2czfw97BQS6SvD-Q-F76Aw - ### Imported: jonasfj
                         Credentials for `jonasfj` to abuse...
    *
----
7biq0sFcRqGYGJ9juATLJA - ### Imported: ffledgling
    *
----
Bx-Vfe_rSQ2HOtZQviwl_A - ### Imported: sousmangoosta
                         This is a temporary account for a community contributor that was directed to taskcluster by kgrandon and gerard-majax,.
                         This should be removed later when we allow non @mozilla.com emails to get temporary credentials.  Granted with same scopes as temp creds
                         Name: Ronald Claveau
                         email: sousmangoosta@ovh.fr
                         IRC: sousmangoosta
    *
----
DyUwCUOlRJWAOm7OJJWg1g - ### Imported: garndt
                         Key for local abuse for garndt don't ship this
    *
----
GFHNiUujSuu_MCDF1GWvvQ - ### Imported: raluca
                         Raluca is hacking on analysis framework for telemetry... if she finds time...
    *
----
I3hNQRWhSnWA-s6WN5w1XA - ### Imported: amiyaguchi
                         amiyaguchi is an intern summer 2015 working on windows AMI setups.
    *
----
JmhqKvaWTHmnxmRqoORBaA - ### Imported: brson
                         Brian Anderson
    *
----
LY8eSq1WTb6qKMrWKGTvqw - ### Imported: Rob Thijssen
                         For playing around, and doing damage! :D
    *
----
LvL_9Z2FQLa2gO-3AgCQ_A - ### Imported: selena
                         developer credentials for `selena@mozilla.com`
    *
----
LvhIONB6TAKCeZsbmrImrA - ### Imported: gerard-majax
    assume:client-id:LvhIONB6TAKCeZsbmrImrA
    queue:*
    scheduler:*
    docker-worker:*
----
MC7GCZfURkCGO8rS9KxgTg - ### Imported: wcosta
                         Describe what this use is for...
    *
----
N6l8rTzKRdCsLxXpboKNuw - ### Imported: jlund
                         jlund from releng
    *
----
NJ3G1h8ARkGhekYPFYhmVw - ### Imported: liav
                         Credentials for Liav (`liav.koren@gmail.com`) a new contributor working on bug [1051561](https://bugzilla.mozilla.org/show_bug.cgi?id=1051561) and sub-bugs there of...
    *
----
OXSb5WUVQk6STvKkCPitgw - ### Imported: EggyLv999
                         Edgar contracted intern...
    *
----
QUUeaAazTAmU6F3Sc29zvQ - ### Imported: armenzg-testing
                         This is my set of credentials which does not have * scopes.
    assume:client-id:QUUeaAazTAmU6F3Sc29zvQ
    queue:create-task:*
    queue:define-task:*
    docker-worker:cache:*
    docker-worker:capability:*
    docker-worker:image:*
    queue:route:*
    scheduler:create-task-graph
    scheduler:extend-task-graph:*
----
WX5WaEuzTwGh0Q-zpGSoWg - ### Imported: rwood
                         Describe what this use is for...
    *
----
_XwhECl7T_WBWcOdRQFVkA - ### Imported: nullaus
                         null aus dev acess
    *
----
a8298TjkQf2HyICZVkgEYA - ### Imported: lightsofapollo
                         Everything creds for abuse
                         Used to have `*` jonasfj removed these... leaving the client so we can re-activate it if we have to...
                         I doubt it's in use anywhere though...
    assume:client-id:a8298TjkQf2HyICZVkgEYA
----
cVOkbX8TQu2UT7b-8VH0nA - ### Imported: mrrrgn
                         Morgan's access
    *
----
gEGWgxqgRZSikNXkDr6Tbw - ### Imported: kgrandon
    *
----
hkhwW8sQRFiau1ie1b29tQ - ### Imported: pmoore
                         Dev key used by Pete Moore (pmoore@mozilla.com).
    *
----
i8RcQ9nuRe-Q7mpVGnaHJg - ### Imported: rail
                         master of the universe
    *
----
iDpx218zTq6b8XoFMXssEw - ### Imported: dustin
                         credentials for dustin...
    *
----
kZ3PctbtSLml6PHw5YzTOw - ### Imported: drs
                         taskcluster credentials for `drs`.
                         LDAP: `dsherk@mozilla.com`
    *
----
l-a4R0PXR4uHijZ4i7-kgw - ### Imported: shako
                         Shako Ho, sho@mozilla.com
                         Is being shared with other developers...
    *
----
onvEnjW7Su6-53I7UhfCdg - ### Imported: ted
                         Ted Mielczarek, tmielczarek@mozilla.com
    *
----
sldk46fxR2CdSbiw2OR-4Q - ### Imported: autolander-dev
                         Autolander. For questions, ping kgrandon@mozilla.com
    *
----
swn2Eg-pRu2h0ec3uNI9AQ - ### Imported: queue.taskcluster.net
                         Credentails for `queue.taskcluster.net`
    *
----
u5Abj86VRsGmiagy6aO7Yw - ### Imported: mshal
                         mshal testing
    *
----
wQjAUsPgQ-OKuU8RWsz8tg - ### Imported: nhirata
                         Credentials for nhirata
    *
----
xMWxCdJpSriDz7zp7uFo8Q - ### Imported: armenzg
                         Armen's testing account
    *
----
xu9LzAXBTRW8d3x_6Q-wCA - ### Imported: mihneadb
                         This is a temporary account for a community contributor.
                         Created by: garndt
                         Name: Mihnea Dobrescu-Balaur
                         Email: mihnea@linux.com
    *
----
ycAM1VLgRA-677YJBT1K1w - ### Imported: russn
                         Local key for russ to play with
    *
Depends on: 1218476
I'll set aside the "personal" creds for now -- we can fix that when tc-login is deployed.  Most of the "testing" clients are OK.

> TESTING
> =======
> 
> -69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci
>     assume:client-id:-69R5nFgQhmFalR2J3y9pA
>     queue:create-task:test/test
>     queue:define-task:test/test
>     queue:claim-task
>     assume:worker-type:test/test
>     assume:worker-id:test/test
>     queue:report-task-completed
>     queue:resolve-task
>     queue:route:tc-treeherder-test*
>     queue:rerun-task
>     assume:scheduler-id:*
>     queue:route:test*
>     scheduler:*

scheduler:* is too broad - should be scheduler:create-task-graph.  bug 1218476

Note, too, that auth:credentials no longer counts for anything; so seeing that here isn't scary (although it suggests the creds need to be edited)

That just leaves sevices.
Depends on: 1218507
Depends on: 1218508
Depends on: 1218512
Depends on: 1218514
Depends on: 1218517
Depends on: 1218523
No longer depends on: 1164455
Depends on: 1218541
Depends on: 1218548
Depends on: 1218549
Depends on: 1218553
Depends on: 1218555
Alias: tc-scope-lockdown
Depends on: 1218784
Depends on: 1218787
(Reporter)

Updated

3 years ago
Depends on: 1217088
Depends on: 1134342
(Reporter)

Updated

3 years ago
No longer depends on: 1217088
(Reporter)

Updated

3 years ago
Depends on: 1217088
Depends on: 1218928
Blocks: 1219879
Summary: [meta] Reduce number of clients that gets the '*' scope → [meta] Reduce the number of clients that get the '*' scope
Blocks: 1220252
Depends on: 1193607
No longer depends on: 1218787
Depends on: 1220738
No longer depends on: 1217088, 1220738
Depends on: 1228100
No longer depends on: 1218549
I'm calling this done -- the scheduler scopes are not * anymore, but are still fairly broad.  Those will get narrowed when the new big-graph scheduler is done.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.