Closed Bug 1184084 Opened 10 years ago Closed 10 years ago

Assign limited-access scopes to in-tree jobs

Categories

(Taskcluster :: General, defect)

Product:
Taskcluster
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

Attachments

(1 file)

MozReview Request: Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt
40 bytes, text/x-review-board-request
garndt
: review+
Details
So, relengapi-proxy is committed and working great in tasks I submit, including the necessary feature and scopes. What I haven't figured out yet is, how do I have a try push create similar tasks? I assume that adding the scope to `scopes` in the in-tree task definition wouldn't work (otherwise why not just add `scopes: ["*"]` and download everyone's credentials?).
I need this sorted out for my mac cross-compile builds too, for the same reason as Dustin (need to download tooltool internal packages).
This is configure in the thing that submits task-graphs, right now mozilla-taskcluster: https://github.com/taskcluster/mozilla-taskcluster/blob/master/src/config/default.yml#L67-L69 (and possibly other places) So it's about configuring it and then adding it to taskGraph.scope and task.scopes.
So the story is that the permissions of the tasks created from the decision task are limited *only* by the task graph's scopes. The task graph's scopes are specified, as Jonas pointed out in comment 2, in the mozilla-taskcluster configuration (confusingly, under `config.try.projects[projectName]`, where the `try` should be read as "tree" to avoid confusion). Currently, those scopes are massively wide: queue:*, scheduler:*, and docker-worker:*. Which means that anyone who can push to try can use any cache, any device, create tasks, claim all the tasks in a queue, etc. Thankfully, the RelengAPI token the proxy uses only allows tooltool downloads, so this hasn't accidentally allowed root access to RelengAPI -- but it could have! That's going to get fixed soon! At that point, we'll want to leave docker-worker:relengapi-proxy:tooltool.download.internal docker-worker:relengapi-proxy:tooltool.download.public in the try tree's list of scopes, but nothing that satisfies `docker-worker:relengapi-proxy:*`. Adding the feature is easy peasy.
Assignee: nobody → dustin
Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt
Attachment #8635591 - Flags: review?(garndt)
Comment on attachment 8635591 [details] MozReview Request: Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt
Comment on attachment 8635591 [details] MozReview Request: Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt
Comment on attachment 8635591 [details] MozReview Request: Bug 1184084: enable relengapi-proxy for android, linux builds; r?garndt https://reviewboard.mozilla.org/r/13567/#review12199 These changes look good and everything is green in the graph except for Linux64 opt. Was the code in this review used for that taskgraph that was linked to in the comments? From looking at the review, I don't see any obvious problem but the task in the graph mangled env and features together it seems and left env as null. Once that's worked out, this is r+, sheep it.
Attachment #8635591 - Flags: review?(garndt) → review+
Yes, that try job was from revision 2 in the mozreview, and fixed in revision 3. Thanks!
https://hg.mozilla.org/mozilla-central/rev/43319cd779a9
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox42: --- → fixed
Resolution: --- → FIXED
status-firefox42: fixed → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: