Add a per-user (rather than per-repository) authentication mechanism for submitting data to Treeherder



Tree Management
Treeherder: API
3 years ago
2 years ago


(Reporter: emorley, Assigned: mdoglio)




(1 attachment)

46 bytes, text/x-github-pull-request
: review+
Details | Review | Splinter Review
(Filing bugs for things we discussed as possible future goals, but do not have a bug on file).
Priority: -- → P3
Blocks: 1043334


3 years ago
Blocks: 1164845
Blocks: 1170562
As part of this I imagine we'll have no choice but to move away from using the oauth2 package anyway, but in case not, we should absolutely consider doing so. It's had no commits since December 2011 and there's no way to work around bug 1170562 comment 2.

Comment 2

3 years ago
I'm going to base this implementation on django-oauth-toolkit, which the is recommended package to do oauth authentication with django-rest-framework


3 years ago
Blocks: 1178641
Depends on: 1185520
Blocks: 1196191

Comment 3

3 years ago
After some investigation I decided django-oauth-toolkit is too complicated for what we need. I'm going to create a simple table holding the list clients and their credentials. And I'm gonna use hawk for the authentication since:
- there's already a hawk backend for drf
- there's already a hawk auth backend for requests
- the credentials don't go through the wire, which would also solve bug 1170562

Comment 4

3 years ago
Created attachment 8663692 [details] [review]
PR 983
Assignee: nobody → mdoglio
Attachment #8663692 - Flags: review?(emorley)

Comment 5

3 years ago
Once attachment 8663692 [details] [review] has landed we will
- create new credentials for our own etl service
- propagate the credentials on the staging/prod machines
- enable hawk authentication in the client
Comment on attachment 8663692 [details] [review]
PR 983

Looks good so far, have left some comments - reflag for review for a final glance :-)
Attachment #8663692 - Flags: review?(emorley)


3 years ago
Attachment #8663692 - Flags: review?(emorley)
Comment on attachment 8663692 [details] [review]
PR 983

(Had another quick glance, but didn't have time to test locally.)
Attachment #8663692 - Flags: review?(emorley) → review+


3 years ago
Blocks: 1209555

Comment 8

3 years ago
Commits pushed to master at
Bug 1160111 - Create login page for login_required

The login_required decorator redirects unauthenticated users to
settings.LOGIN_URL, adding a `next` querystring parameter to it.
This parameter is then passed to the browserid login button so that
the user can be sent back to the original page after a successful
Bug 1160111 - Add treeherder.credentials app

The new app handles treeherder client credentials.
The content of the credentials table should replace the credentials file
we currently use for authentication.
This commit includes orm models, migrations and an admin interface.
Bug 1160111 - Add ui to manage credentials.

An authenticated user can access the new ui and add new credentials.
When new credentials are created the system generates automatically
 a secret key which is available in the credentials details.
The credentials needs to be approved by a member of staff before they
can be used for data submission; that can be done via the admin
In the admin panel it is also possible to reset the secret key of one
or more credentials. The new secret will be available to its owner
in the application details.
Bug 1160111 - Add requirements for hawkrest
Bug 1160111 - Add hawk authentication scheme

The hawk credentials lookup function is the glue between hawk and
the `application` django app. I wrote tests to verify its logic,
everything else is mostly configuration code.
Bug 1160111 - Add throttling for hawk clients

The new throtlling class is based on the hawk client id.
I added some tests to cover both the new throttling class and the one
based on oauth.


3 years ago
Last Resolved: 3 years ago
Resolution: --- → FIXED
Depends on: 1210748
Summary: Split out the oauth credentials from the datasource table to allow per-user not per-project keys → Add a per-user (rather than per-repository) authentication mechanism for submitting data to Treeherder
Blocks: 1212931
Blocks: 1212936
Depends on: 1212951
Depends on: 1271256
Depends on: 1303928
You need to log in before you can comment on or make changes to this bug.