Closed Bug 1137827 (tc-scope-lockdown) Opened 10 years ago Closed 9 years ago

[meta] Reduce the number of clients that get the '*' scope

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jonasfj, Assigned: dustin)

References

Details

We should absolutely reduce the number of clients that gets the "*" scope. It fine that some have scopes on the form: "<non-zero-prefix>*", as long as it's a non-zero prefix. There is a lot of places to reduce the scopes issued. I'm not super concerned with components like queue, provisioner, index, etc. a few of them legitimately needs the '*' scope, and for the other it's a configuration issue. However, we do place were we absolute should reduce scopes issue: 1) auth issues temporary credentials to <anyone>@mozilla.com with the "*" scope. (bug 1137740) 2) docker-worker currently has the "*" credentials for the authentication proxy. (bug 1137821) Please file bugs for any other scope reduction issues, this will be a meta-bug tracking efforts to tighten scope policies.
Depends on: 1156404
Depends on: 1159979
Depends on: 1164455
Component: TaskCluster → General
Product: Testing → Taskcluster
Component: General → Authentication
Assignee: nobody → dustin
Depends on: 1203659
Depends on: 1216306
So here's what our current set of clientIds looks like, roughly divided by purpose. This is publicly accessible via API, btw. TESTING ======= -69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci assume:client-id:-69R5nFgQhmFalR2J3y9pA queue:create-task:test/test queue:define-task:test/test queue:claim-task assume:worker-type:test/test assume:worker-id:test/test queue:report-task-completed queue:resolve-task queue:route:tc-treeherder-test* queue:rerun-task assume:scheduler-id:* queue:route:test* scheduler:* ---- -yX0fVeLQWWwZ8wS0DHz9Q - ### Imported: dummy-test-scheduler Credentials for automatic testing of the task-graph scheduler against production queue. These should not be leaked, but can be embedded as **encrypted** environment variables in things like `travis.yml`. Or stored in a local configuration file for testing the scheduler locally. This is also used for testing `taskcluster-client`. assume:client-id:-yX0fVeLQWWwZ8wS0DHz9Q queue:define-task:dummy-test-provisioner/dummy-test-worker-type queue:schedule-task queue:claim-task assume:worker-type:dummy-test-provisioner/dummy-test-worker-type assume:worker-id:dummy-test-workergroup/dummy-test-worker-id queue:report-task-completed queue:rerun-task assume:scheduler-id:dummy-test-scheduler/* queue:resolve-task ---- DqpvW5MaS7SkHjYpe0hfrg - ### Imported: taskcluster-secrets-test-client For testing taskcluster-secrets.... assume:client-id:DqpvW5MaS7SkHjYpe0hfrg secrets:write secrets:delete secrets:github:ninethings:website:* ---- 6uwU3ANNT0ed0UEyfG2W8w - ### Imported: dummy-index-test Dummy used for testing `taskcluster-index`. assume:client-id:6uwU3ANNT0ed0UEyfG2W8w queue:create-task:dummy-test-provisioner/dummy-test-worker-type queue:route:dummy-routes.index-testing.* queue:claim-task assume:worker-type:dummy-test-provisioner/dummy-test-worker-type assume:worker-id:dummy-test-workergroup/dummy-test-worker-id queue:report-task-completed auth:azure-table-access:taskclusterdev/DummyTest* queue:resolve-task queue:create-artifact:public/dummy-test-provisioner.log queue:create-artifact:private/dummy-test-provisioner.log queue:get-artifact:private/dummy-test-provisioner.log ---- k-haeuv-RMuKmBXPuTDpiQ - ### Imported: travis test user for taskcluster-proxy This user runs tests in travis-ci.org for github.com/taskcluster/taskcluster-proxy repo. The clientId and accessToken are provided as encrypted environment variables. assume:client-id:k-haeuv-RMuKmBXPuTDpiQ auth:inspect auth:credentials ---- tc-hooks - Test user for taskcluster-hooks assume:client-id:tc-hooks ---- tc-hooks-tests - Client for tc-hooks integration tests assume:client-id:tc-hooks-tests queue:create-task:no-provisioner/test-worker assume:hook-id:tc-hooks-tests/tc-test-hook jungle:tc-hooks-tests:scope/required/for/task/1 SERVICES ======== -ojkeT4cQ8iPqzfjX6YqPw - ### Imported: taskcluster-purge-cache User for purge-cache service... assume:client-id:-ojkeT4cQ8iPqzfjX6YqPw auth:credentials ---- 00F-p0pNSaSklX6COjCTHg - ### Imported: taskcluster-try Taskcluster + Try handler assume:client-id:00F-p0pNSaSklX6COjCTHg queue:* docker-worker:* scheduler:* ---- 0BI2Jg_ZSuCHg6bEyPdD9A - ### Imported: aws-provisioner2 jhford made this account for work on the new aws provisioner * ---- 5Svq_nEQSFCDnNNcPHj2sQ - ### Imported: buildbot-bridge Credentials for the production instance of the Buildbot <-> Taskcluster Bridge. Original discussion of required permissions can be found in https://bugzilla.mozilla.org/show_bug.cgi?id=1164455. assume:client-id:5Svq_nEQSFCDnNNcPHj2sQ queue:claim-task queue:create-artifact:* queue:resolve-task queue:rerun-task queue:cancel-task assume:worker-type:buildbot-bridge/buildbot-bridge assume:worker-id:buildbot-bridge/buildbot-bridge assume:scheduler-id:* ---- 7J6dLK6WS4WIUCUmsMssYw - ### Imported: release runner dev assume:client-id:7J6dLK6WS4WIUCUmsMssYw queue:* docker-worker:* scheduler:* signing:format:gpg signing:format:mar signing:cert:dep-signing buildbot-bridge:builder-name:release-date* ---- G0ZVDgU7TNq6WgWCtEMQlg - ### Imported: dockerhost-r3xlarge-2 assume:client-id:G0ZVDgU7TNq6WgWCtEMQlg queue:claim-task auth:inspect queue:report-task-completed assume:worker-type:aws-provisioner/dockerhost-r3xlarge assume:worker-id:* queue:create-artifact:public/api.json auth:credentials queue:resolve-task ---- GZpee0SDRHm9fhYbaqKtuQ - ### Imported: crater crater test service managed by Brian Anderson (:brson). Contact: banderson@mozilla.com * ---- HHb6HtDwQaS3dGdaa_j0ow - ### Imported: funsize scheduler assume:client-id:HHb6HtDwQaS3dGdaa_j0ow signing:* scheduler:* docker-worker:* queue:* ---- I0o8H5AgRZWkj_jsDIepYQ - ### Imported: buildbot-bridge-dev Credentials to use when running a dev instance of the Buildbot <-> Taskcluster Bridge. assume:client-id:I0o8H5AgRZWkj_jsDIepYQ queue:claim-task queue:create-artifact:* queue:resolve-task queue:rerun-task queue:cancel-task assume:scheduler-id:* assume:worker-type:buildbot-bridge/buildbot-bridge assume:worker-id:buildbot-bridge/buildbot-bridge ---- KHa1Y5wARRGL8R6GAsgW3w - ### Imported: buildbot-try Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP for try builds. assume:client-id:KHa1Y5wARRGL8R6GAsgW3w queue:create-task:* queue:create-artifact:* queue:report-task-completed queue:route:* queue:claim-task assume:worker-type:null-provisioner/buildbot-try assume:worker-id:buildbot-try/buildbot-try queue:resolve-task ---- O6yB_zofTjCAjPSu4iYKoA - ### Imported: taskcluster-github assume:client-id:O6yB_zofTjCAjPSu4iYKoA assume:worker-type:test/test assume:worker-id:test/test assume:scheduler-id:* scheduler:* docker-worker:* queue:* ---- Po0gCUk-Rx-OzBV_bcOkhQ - ### Imported: Docker Host g2 assume:client-id:Po0gCUk-Rx-OzBV_bcOkhQ queue:claim-task auth:inspect queue:report-task-completed assume:worker-type:aws-provisioner/dockerhost-g2 assume:worker-id:* queue:create-artifact:public/api.json auth:credentials ---- SUkfDCeyStmQbgu4f4yXCg - ### Imported: buildbot-staging For staging buildbot builds to upload files. assume:client-id:SUkfDCeyStmQbgu4f4yXCg queue:create-task:* queue:create-artifact:* queue:report-task-completed queue:claim-task assume:worker-type:null-provisioner/buildbot assume:worker-id:buildbot/buildbot queue:resolve-task queue:route:index.garbage.staging.* ---- SbTaWGCUSnG65E4dqLpxDQ - ### Imported: signingworker2 used to sign MAR files generated by Funsize assume:client-id:SbTaWGCUSnG65E4dqLpxDQ queue:claim-task queue:create-artifact:* queue:resolve-task assume:worker-id:signing-worker-v1/* assume:worker-type:signing-provisioner-v1/* ---- T9J-xA9JSUKQzfR99NRtMg - ### Imported: mozilla-pulse-actions This client is to be used as part of pulse_actions in combination to mozci. assume:client-id:T9J-xA9JSUKQzfR99NRtMg queue:create-task:* queue:define-task:* docker-worker:cache:* docker-worker:capability:* docker-worker:image:* tc-treeherder* queue:route:* scheduler:create-task-graph scheduler:extend-task-graph ---- XJhrEh8MSG-34W5qQjRadQ - ### Imported: scheduler.taskcluster Access credentials for `scheduler.taskcluster.net`. This is the production deployment of the task-graph scheduler. * ---- XsQX5VRnSCi_gG1Fbby0AQ - ### Imported: testdroid-worker * ---- _9TuTPNUSQKMW8wcMIsrxA - ### Imported: taskcluster-scheduler Credentials for the prototype scheduler: https://github.com/taskcluster/taskcluster-scheduler assume:client-id:_9TuTPNUSQKMW8wcMIsrxA queue:schedule-task assume:scheduler-id:* auth:azure-table-access:taskclusterdev/* ---- _rUyXCLtT0SSDw37PXFIFw - ### Imported: b2g-qa-jenkins Makes QA's Jenkins being able to download Firefox OS builds. Owned by the Firefox OS QA team. Point of contact: Johan Lorenzo jlorenzo@mozilla.com Issued in bug [1184935](https://bugzilla.mozilla.org/show_bug.cgi?id=1184935). assume:client-id:_rUyXCLtT0SSDw37PXFIFw queue:get-artifact:private/build/* ---- b2g-power-tests - jhylands runs a jenkins server for doing automated power tests on Firefox OS. These credentials grants him access to download private artifacts for flame testing... Owner: jhylands@mozilla.com assume:client-id:b2g-power-tests queue:get-artifact:private/build/* ---- eIy6aszeRQirIPOMwtOtqQ - ### Imported: mozilla-taskcluster Integration for mozilla-taskcluster assume:client-id:eIy6aszeRQirIPOMwtOtqQ queue:* docker-worker:* scheduler:* ---- kd-b_FdrSJ-4Gr3FF4IOpA - ### Imported: github-taskcluster * ---- pW4qm6B8SHGfpeUzUQ9dKg - ### Imported: old-aws-provisioner old aws provisioner... this will go away... Ask jonasfj or jhford if it's still alive... assume:client-id:pW4qm6B8SHGfpeUzUQ9dKg queue:pending-tasks:aws-provisioner/* ---- root - Automatically created `root` client for bootstrapping API access * ---- tc-login - Credentials for login.taskcluster.net Owner: jojensen@mozilla.com assume:client-id:tc-login assume:mozillians-user:* assume:mozillians-group:* assume:ldap-user:* assume:ldap-group:* ---- tc-secrets - TaskCluster secrets service... This service stores secrets and protects them with scopes, so people can't get access without the right scope. Owner: mphillips@mozilla.com Belongs to the [taskcluster-secrets heroku app](https://dashboard.heroku.com/apps/taskcluster-secrets). assume:client-id:tc-secrets auth:azure-table-access:taskclustersecretsv1/Secrets ---- v9h-Fo_fQ3yq_-MeH6dP6w - ### Imported: worker-ci-tests assume:client-id:v9h-Fo_fQ3yq_-MeH6dP6w scheduler:create-task-graph queue:claim-task assume:worker-id:worker-ci-test/* queue:report-task-completed queue:resolve-task queue:rerun-task assume:scheduler-id:* queue:define-task:aws-provisioner-v1/worker-ci-test queue:create-task:aws-provisioner-v1/worker-ci-test assume:worker-type:aws-provisioner-v1/worker-ci-test assume:worker-type:no-provisioning-nope/* queue:create-task:no-provisioning-nope/* queue:poll-task-urls assume:worker-id:random-local-worker/* queue:cancel-task queue:define-task:no-provisioning-nope/* scheduler:extend-task-graph:* docker-worker:feature:* docker-worker:cache:* docker-worker:image:localhost* docker-worker:capability:privileged docker-worker:capability:device:* aws-provisioner:create-secret queue:get-artifact:private/docker-worker-tests/* index:insert-task:garbage.docker-worker-tests.* queue:create-artifact:public/* queue:route:index.garbage.docker-worker-tests.* queue:create-artifact:docker-worker-tests* queue:create-artifact:private/docker-worker-tests* queue:create-artifact:custom queue:get-artifact:/private/docker-worker-tests/* purge-cache:no-provisioning-nope* ---- vKlyNangR_m4pEgk7ajKEQ - ### Imported: dockerhost assume:client-id:vKlyNangR_m4pEgk7ajKEQ queue:claim-task auth:inspect queue:report-task-completed assume:worker-id:* queue:create-artifact:public/api.json auth:credentials assume:worker-type:aws-provisioner/dockerhost-r3-2xlarge assume:worker-type:aws-provisioner/dockerhost-g2 assume:worker-type:aws-provisioner/dockerhost-r3xlarge assume:worker-type:aws-provisioner/dockerhost-c3-2xlarge assume:worker-type:aws-provisioner/dh-c4-2xlarge queue:resolve-task ---- xPK1XrauRn6v2QNMMIAOKg - ### Imported: funsize dev assume:client-id:xPK1XrauRn6v2QNMMIAOKg signing:* scheduler:* docker-worker:* queue:* ---- yHLBn3GaTY-SYhTnKw3X-Q - ### Imported: temporary-credentials Client used to issue temporary credentials, list of scopes assigned to this client will given to all temporary credentials issued. * ---- yMbwoZvhRout3T_Fr7h4Ng - ### Imported: index.taskcluster.net Credentails for `index.taskcluster.net` * ---- yvP37tZ_S52uOeZm-Ep4IA - ### Imported: buildbot Client for buildbot/mozharness to upload build artifacts to S3 instead of FTP. assume:client-id:yvP37tZ_S52uOeZm-Ep4IA queue:create-task:* queue:create-artifact:* queue:report-task-completed queue:route:* queue:claim-task assume:worker-type:null-provisioner/buildbot assume:worker-id:buildbot/buildbot queue:resolve-task PERSONAL ======== 09tML-c8Tf6pYehxK8Rrpw - ### Imported: bhearsum * ---- 2NTE9AF4Qq2iNp_ZXan5DA - ### Imported: npark npark@mozilla.com See [bug 1196730](https://bugzilla.mozilla.org/show_bug.cgi?id=1196730) for building b2g or something like that... * ---- 2YkrA35TSrCL9yOGDeW-Tg - ### Imported: jhford for jhford for local testing only * ---- 2czfw97BQS6SvD-Q-F76Aw - ### Imported: jonasfj Credentials for `jonasfj` to abuse... * ---- 7biq0sFcRqGYGJ9juATLJA - ### Imported: ffledgling * ---- Bx-Vfe_rSQ2HOtZQviwl_A - ### Imported: sousmangoosta This is a temporary account for a community contributor that was directed to taskcluster by kgrandon and gerard-majax,. This should be removed later when we allow non @mozilla.com emails to get temporary credentials. Granted with same scopes as temp creds Name: Ronald Claveau email: sousmangoosta@ovh.fr IRC: sousmangoosta * ---- DyUwCUOlRJWAOm7OJJWg1g - ### Imported: garndt Key for local abuse for garndt don't ship this * ---- GFHNiUujSuu_MCDF1GWvvQ - ### Imported: raluca Raluca is hacking on analysis framework for telemetry... if she finds time... * ---- I3hNQRWhSnWA-s6WN5w1XA - ### Imported: amiyaguchi amiyaguchi is an intern summer 2015 working on windows AMI setups. * ---- JmhqKvaWTHmnxmRqoORBaA - ### Imported: brson Brian Anderson * ---- LY8eSq1WTb6qKMrWKGTvqw - ### Imported: Rob Thijssen For playing around, and doing damage! :D * ---- LvL_9Z2FQLa2gO-3AgCQ_A - ### Imported: selena developer credentials for `selena@mozilla.com` * ---- LvhIONB6TAKCeZsbmrImrA - ### Imported: gerard-majax assume:client-id:LvhIONB6TAKCeZsbmrImrA queue:* scheduler:* docker-worker:* ---- MC7GCZfURkCGO8rS9KxgTg - ### Imported: wcosta Describe what this use is for... * ---- N6l8rTzKRdCsLxXpboKNuw - ### Imported: jlund jlund from releng * ---- NJ3G1h8ARkGhekYPFYhmVw - ### Imported: liav Credentials for Liav (`liav.koren@gmail.com`) a new contributor working on bug [1051561](https://bugzilla.mozilla.org/show_bug.cgi?id=1051561) and sub-bugs there of... * ---- OXSb5WUVQk6STvKkCPitgw - ### Imported: EggyLv999 Edgar contracted intern... * ---- QUUeaAazTAmU6F3Sc29zvQ - ### Imported: armenzg-testing This is my set of credentials which does not have * scopes. assume:client-id:QUUeaAazTAmU6F3Sc29zvQ queue:create-task:* queue:define-task:* docker-worker:cache:* docker-worker:capability:* docker-worker:image:* queue:route:* scheduler:create-task-graph scheduler:extend-task-graph:* ---- WX5WaEuzTwGh0Q-zpGSoWg - ### Imported: rwood Describe what this use is for... * ---- _XwhECl7T_WBWcOdRQFVkA - ### Imported: nullaus null aus dev acess * ---- a8298TjkQf2HyICZVkgEYA - ### Imported: lightsofapollo Everything creds for abuse Used to have `*` jonasfj removed these... leaving the client so we can re-activate it if we have to... I doubt it's in use anywhere though... assume:client-id:a8298TjkQf2HyICZVkgEYA ---- cVOkbX8TQu2UT7b-8VH0nA - ### Imported: mrrrgn Morgan's access * ---- gEGWgxqgRZSikNXkDr6Tbw - ### Imported: kgrandon * ---- hkhwW8sQRFiau1ie1b29tQ - ### Imported: pmoore Dev key used by Pete Moore (pmoore@mozilla.com). * ---- i8RcQ9nuRe-Q7mpVGnaHJg - ### Imported: rail master of the universe * ---- iDpx218zTq6b8XoFMXssEw - ### Imported: dustin credentials for dustin... * ---- kZ3PctbtSLml6PHw5YzTOw - ### Imported: drs taskcluster credentials for `drs`. LDAP: `dsherk@mozilla.com` * ---- l-a4R0PXR4uHijZ4i7-kgw - ### Imported: shako Shako Ho, sho@mozilla.com Is being shared with other developers... * ---- onvEnjW7Su6-53I7UhfCdg - ### Imported: ted Ted Mielczarek, tmielczarek@mozilla.com * ---- sldk46fxR2CdSbiw2OR-4Q - ### Imported: autolander-dev Autolander. For questions, ping kgrandon@mozilla.com * ---- swn2Eg-pRu2h0ec3uNI9AQ - ### Imported: queue.taskcluster.net Credentails for `queue.taskcluster.net` * ---- u5Abj86VRsGmiagy6aO7Yw - ### Imported: mshal mshal testing * ---- wQjAUsPgQ-OKuU8RWsz8tg - ### Imported: nhirata Credentials for nhirata * ---- xMWxCdJpSriDz7zp7uFo8Q - ### Imported: armenzg Armen's testing account * ---- xu9LzAXBTRW8d3x_6Q-wCA - ### Imported: mihneadb This is a temporary account for a community contributor. Created by: garndt Name: Mihnea Dobrescu-Balaur Email: mihnea@linux.com * ---- ycAM1VLgRA-677YJBT1K1w - ### Imported: russn Local key for russ to play with *
Depends on: 1218476
I'll set aside the "personal" creds for now -- we can fix that when tc-login is deployed. Most of the "testing" clients are OK. > TESTING > ======= > > -69R5nFgQhmFalR2J3y9pA - ### Imported: mozilla-taskcluster-ci > assume:client-id:-69R5nFgQhmFalR2J3y9pA > queue:create-task:test/test > queue:define-task:test/test > queue:claim-task > assume:worker-type:test/test > assume:worker-id:test/test > queue:report-task-completed > queue:resolve-task > queue:route:tc-treeherder-test* > queue:rerun-task > assume:scheduler-id:* > queue:route:test* > scheduler:* scheduler:* is too broad - should be scheduler:create-task-graph. bug 1218476 Note, too, that auth:credentials no longer counts for anything; so seeing that here isn't scary (although it suggests the creds need to be edited) That just leaves sevices.
Depends on: 1218507
Depends on: 1218508
Depends on: 1218512
Depends on: 1218514
Depends on: 1218517
Depends on: 1218523
No longer depends on: 1164455
Depends on: 1218541
Depends on: 1218548
Depends on: 1218549
Depends on: 1218555
Alias: tc-scope-lockdown
Depends on: 1218784
Depends on: 1218787
Depends on: 1217088
Depends on: 1134342
No longer depends on: 1217088
Depends on: 1217088
Depends on: 1218928
Summary: [meta] Reduce number of clients that gets the '*' scope → [meta] Reduce the number of clients that get the '*' scope
No longer depends on: 1218787
Depends on: 1220738
No longer depends on: 1217088, 1220738
Depends on: 1228100
No longer depends on: 1218549
I'm calling this done -- the scheduler scopes are not * anymore, but are still fairly broad. Those will get narrowed when the new big-graph scheduler is done.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Component: Authentication → Services
You need to log in before you can comment on or make changes to this bug.