Closed
Bug 1159979
Opened 9 years ago
Closed 9 years ago
[auto-lander] Don't give autolander "*" scope it can do anything
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1218928
People
(Reporter: jonasfj, Unassigned)
References
Details
Autolander creates a task-graph and gives the graph the scope "*", see: https://github.com/mozilla/autolander/blob/2e74698605403319bab45b5203fde41ef0c06af0/lib/taskgraph.js#L196-198 It does this because we don't know what scopes it should have. We should figure this out, and not give "*" scope to the task-graph, nor should the credentials used by autolander have "*" scope. A quick reduction would be: scheduler:* queue:* index:* But we can probably do better than that... Autolander tasks probably only need access to a fixed set of workerTypes, artifact names and routes. Locking it down protects against people accidentally using workerTypes they shouldn't, or sending to routes they shouldn't. Example, perma creds issued to autolander might have the scope: queue:route:tc-treeherder.gaia-try.* Whilst the taskgraphs created by auto-lander, is given the exact scope: queue:route:tc-treeherder.gaia-try.<hash> Then tasks created by an in-tree decision task, or just defined in-tree, cannot use other routes and report results for another <hash>. Similarly, should be done with "queue:route:gaia-autolander.*". Of course this only works if we lock down all the queue scopes the task-graph needs. @kgrandon, Can you post a typical task-graph as produced by this, maybe one or two so the pattern is clear. Then I should be able to give you a list of scopes for taskGraph.scopes. Once that works, we can reduce the set of scopes are issued to autolander.
Flags: needinfo?(kgrandon)
|
||
Comment 1•9 years ago
|
||
(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #0) > @kgrandon, > Can you post a typical task-graph as produced by this, maybe one or two so > the pattern is clear. We use autolander.json in gaia to generate our task graphs. Here is an example graph: http://docs.taskcluster.net/tools/task-graph-inspector/#jgDNozIFQcesjhVSv7Zvkg Autolander.json: https://github.com/mozilla-b2g/gaia/blob/master/autolander.json
Flags: needinfo?(kgrandon)
|
||
Comment 2•9 years ago
|
||
Looks like related to this: https://bugzilla.mozilla.org/show_bug.cgi?id=1091212
|
|
||
Comment 3•9 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #2) > Looks like related to this: > https://bugzilla.mozilla.org/show_bug.cgi?id=1091212 Yup, this one has more useful information though, so I'll dupe it to this.
|
||
Updated•9 years ago
|
Component: TaskCluster → General
Product: Testing → Taskcluster
|
Reporter | |
Updated•9 years ago
|
Component: General → Integration
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•5 years ago
|
Component: Integration → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•