Closed Bug 1212936 Opened 9 years ago Closed 9 years ago

Migrate submitters of data from oauth to per-user Hawk credentials

Categories

(Tree Management :: Treeherder: API, defect, P2)

Product:
Tree Management
Component:
Treeherder: API
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Assigned: emorley)

References

Details

Bug 1160111 added support for new per-user Hawk credentials, that are to replace the current per-project (repository) oauth ones. Bug 1209555 then migrated Treeherder to use these credentials for the ETL layer. We'll need to migrate other clients too, once we have the docs in place (bug 1212931). This bug is for tracking that migration & eventually double-checking access logs to confirm we'd ok to remove legacy oauth support.
Blocks: 1212937
Blocks: 1170562
Support has been added for per-user credentials for submitting to Treeherder's API. This means that: * each submitter will have their own client_id and secret for submitting to the API (rather than shared credentials), which will make it easier to track submissions from different sources and revoke just one user in case of compromise/leak * there are no longer different credentials per repository, which makes it easier for clients to start submitting to different repos (in the initial implementation everyone can submit to all repos; we may consider adding in controls later, but even if we do, it will no longer require code changes on the submitters side/keeping track of multiple credentials) * the owner of an api key can see it in the web UI so we don't have to send it over PM or private bugs, and treeherder admins can reset/revoke keys from the admin UI too * we're no longer using oauth, but instead Hawk for authentication - which uses headers rather than URI params (so reduces chances of leaks in logs) and also doesn't submit the secret itself over the wire. * we'll eventually need everyone to switch over, but there will be a deprecation period where both authentication methods will work We're still finalising the last few pieces of this (docs, python client support etc), but in the meantime I wanted to give a heads up, and ask if you could: 1) Request an API key for stage and/or prod. For the client id I'd suggest using values like "taskcluster", "mozmill" etc. Use these forms (the api key will be associated with whomever was signed in when it was requested, but this can be changed later if needed): - Stage: https://treeherder.allizom.org/credentials/create/ - Prod: https://treeherder.mozilla.org/credentials/create/ 2) File a bug in whatever component you use, blocking this one, with a summary along the lines of "Submit to Treeherder's API using Hawk credentials" - and in the description mention the client_id you've chosen in #1. I'll then press "authorise" on each of the requested keys. Then once we have docs finished and the new python client released (we'll also need to figure out the plan for the nodejs client), I'll comment in the bugs you've filed, with next steps. Thanks :-)
Flags: needinfo?(mjzffr)
Flags: needinfo?(hskupin)
Flags: needinfo?(garndt)
Flags: needinfo?(bob)
Maja and Syd, given that firefox-ui-tests and firefox-media-tests will live side-by-side also in Jenkins, I wonder if we should request a single client_id like mozauto.
:whimboo, that sounds good to me.
We'll also be using the client_id to track things like which submitters are using deprecated APIs etc, so as long as both of them will be using the same submission code etc that's fine, or if you think they might have different codepaths, then separate would be preferred.
Depends on: 1213857
Depends on: 1214613
Depends on: 1214618
We are probably going to need a separate client_id for the WebRTC tests as well.
Flags: needinfo?(spolk) → needinfo?(drno)
Flags: needinfo?(spolk)
I filed bug 1215566 for our submission of test reports for Firefox ui tests.
Flags: needinfo?(hskupin)
Depends on: 1216247
Depends on: 1217374
Depends on: 1217496
Depends on: 1217584
Created bug 1217584 for the WebRTC test lab setup.
Flags: needinfo?(drno)
Nils in handling the WebRTC case. Maja is handling firefox-media-tests.
Flags: needinfo?(spolk)
Actually, I need to make these changes for firefox-media-tests, per conversation with :maja_zf.
Flags: needinfo?(spolk)
Depends on: 1218222
I'll work on updating Autophone in Bug 1218222
Flags: needinfo?(bob)
Taskcluster is having strange intermittent errors submitting to some endpoints, so to debug I've increased the log level on Heroku by deploying a custom branch (auto-deploy is disabled): https://github.com/mozilla/treeherder/compare/debug-hawk Their submission code: https://github.com/mozilla/treeherder-node/pull/6/files I've added credentials there for taskcluster, which are now being used to submit there. Since the logs are so verbose, I've also disabled celery beat on heroku to stop the noise from treeherder's own tasks. Example error we were seeing on stage: https://emorley.pastebin.mozilla.org/8851124 And the corresponding log from the client's perspective: https://papertrailapp.com/systems/mozilla-taskcluster-staging/events?r=597945745139871752-597945819064479752 We now need to look for equivalents in the debug output on heroku here: https://papertrailapp.com/systems/treeherder/events
(In reply to Ed Morley [:emorley] from comment #12) > An occurrence is here: > https://papertrailapp.com/systems/treeherder/events?q=program%3Aapp%2Fweb. > 1&centered_on_id=597961838482993190 Corresponding TC log: https://papertrailapp.com/systems/mozilla-taskcluster-staging/events?r=597961826122379271-597961844371795999
The issue described above was related to encoding of the payload when calculating the authorization header. mohawk automatically takes care of utf8 encoding it when sending a hawk request, and also uses utf8 when calculating the payload hash when authorizing a request as well. The node hawk client does not have such an automatic enforcement. It appears that utf8 is the standard encoding to use, and a code comment is in the hawk code saying it should be utf8 encoding. emorley opened up an issue for the node hawk library to clarify this in the documentation. Unfortunately the error returned by mohawk is not clear what the problem is other than the mac was incorrect. Looking at the reference implementation even if the calcualted payload hash is different, it should not cause an issue during MAC validation because the payload hash sent should be used while calculating the MAC to compare. This is not the case in mohawk as it calculates the payload hash itself (encoding the payload as utf8) and using that to construct the MAC for comparison. This differs from the reference implementation as well as hides an obscure bug.
Flags: needinfo?(garndt)
Also, an issue was opened for mohawk about this.
(In reply to Greg Arndt [:garndt] from comment #15) > Also, an issue was opened for mohawk about this. Thank you :-) (is at https://github.com/kumar303/mohawk/issues/15) The issue I opened against the hawk docs to make it clearer that the body should be UTF8 encoded is: https://github.com/hueniverse/hawk/issues/152
(To be clear for others CCed: only those using the nodejs hawk client need to manually UTF8 encode the body, the python client is fine)
mozauto client_id created in both treeherder.mozilla.org and treeherder.allizom.org by others. This is what firefox-media-tests will use.
Flags: needinfo?(spolk)
Blocks: 1217955
No longer depends on: 1217955
(Bug 1217955 blocks the task of moving all submitters to hawk; so it blocks this bug rather than depending on it. If you'd like a bug to depend on, the credentials were created in bug 1215566.)
No longer blocks: 1217955
Depends on: 1217955
Depends on: 1221647
Depends on: 1225220
Depends on: 1225597
No longer depends on: 1225220
Depends on: 1230244
There are now no submitters when I grep the prod/stage gunicorn logs and also on: https://insights.newrelic.com/accounts/677903/explorer?eventType=Transaction&timerange=day&facet=request.parameters.oauth_consumer_key
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.