Closed
Bug 1214613
Opened 9 years ago
Closed 9 years ago
[mozilla-taskcluster] Submit to Treeherder's API using Hawk credentials
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: garndt, Assigned: garndt)
References
Details
With treeherder moving over to using hawk instead of oauth, mozilla-taskcluster needs to be changed to use the new method and credentials.
Client ids are mozilla-taskcluster-prod for production and mozilla-taskcluster-staging for staging.
Comment 1•9 years ago
|
||
Thank you for creating those/filing this.
I was thinking the usernames on stage/prod would typically be the same (we've used the same for treeherder's etl) - I'm open for either, but wondered if there was a use case I'd missed? :-)
Assignee | ||
Comment 2•9 years ago
|
||
My understanding was that we could track the requests being made on a per client-id basis. I would think we would want to separate out the requests made between the prod and staging environments, but if that's not possible or not a good reason to have separate creds, I'm ok with just creating one for mozilla-taskcluster and use it for both.
Assignee | ||
Comment 3•9 years ago
|
||
Also, this is for submitting things to the API. how would this tie into the work camd was doing to ingest via pulse?
Comment 4•9 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #2)
> My understanding was that we could track the requests being made on a per
> client-id basis. I would think we would want to separate out the requests
> made between the prod and staging environments
Stage and prod are completely different environments, so requests made to one would never appear in the logs for the other, so we can already differentiate between the two, without using difference usernames for each.
(In reply to Greg Arndt [:garndt] from comment #3)
> Also, this is for submitting things to the API. how would this tie into the
> work camd was doing to ingest via pulse?
I'm not sure really, but the pulse work is a way out, whereas we need people to switch away from oauth sooner.
Assignee | ||
Comment 5•9 years ago
|
||
Thanks Ed, I have created 'mozilla-taskcluster' on both staging and prod.
Comment 6•9 years ago
|
||
Thanks - have approved both.
For people using the Python client, we've already added handling, but for the nodejs client support needs adding:
https://github.com/hueniverse/hawk#usage-example
In the client example there, the credentials would be:
var credentials = {
id: 'mozilla-taskcluster',
key: '...',
algorithm: 'sha256'
}
Where the key is the secret shown to you when the keys were requested, or can be looked up at:
Stage: https://treeherder.allizom.org/credentials/
Prod: https://treeherder.mozilla.org/credentials/
...and then select the credential to view the details including secret.
Comment 7•9 years ago
|
||
It's worth also noting that the system clocks of the nodes making the submissions needs to be correct within 60s, otherwise authorisation will fail.
Comment 8•9 years ago
|
||
Auth currently occurs in this file:
https://github.com/mozilla/treeherder-node/blob/master/project.js
It instead needs to use the hawk npm package instead (see https://github.com/hueniverse/hawk#usage-example and scroll down a bit to the client example).
Also now that the credentials are per-user rather than per-project, I imagine it makes sense to break auth out of project.js at some point (though that can always happen later).
Assignee | ||
Comment 9•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 10•9 years ago
|
||
Awesome, thank you! :-)
Comment 11•9 years ago
|
||
I'm seeing submissions using oauth on the /resultset/ endpoint on gaia and gaia-master, eg:
127.0.0.1 - - [10/Nov/2015:01:58:56 -0800] "POST /api/project/gaia/resultset/?oauth_body_hash=REDACTED&oauth_consumer_key=REDACTED&oauth_nonce=REDACTED&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1447149535&oauth_token=&oauth_version=1.0&user=treeherder-node%200.4.2&oauth_signature=REDACTED HTTP/1.1" 200 37 "-" "-"
127.0.0.1 - - [10/Nov/2015:02:06:33 -0800] "POST /api/project/gaia-master/resultset/?oauth_body_hash=REDACTED&oauth_consumer_key=REDACTED&oauth_nonce=REDACTED&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1447149993&oauth_token=&oauth_version=1.0&user=treeherder-node%200.4.2&oauth_signature=REDACTED HTTP/1.1" 200 37 "-" "-"
Do you know where this might be coming from? :-)
Status: RESOLVED → REOPENED
Flags: needinfo?(garndt)
Resolution: FIXED → ---
Assignee | ||
Comment 12•9 years ago
|
||
that is a different integration component than mozilla-taskcluster that's used for gaia integration. That's probably being done by 'gaia-taskcluster' https://github.com/taskcluster/gaia-taskcluster
This bug [1] was created to switch over gaia-taskcluster. No one really owns that component right now so I guess I'm going to be the winner of it :)
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1221647
Flags: needinfo?(garndt)
Comment 13•9 years ago
|
||
Ah thank you - I had a rummage around the taskcluster github org, but there are so many repos it's hard to know where to start (or to search). (One advantage of unified repos at least :-))
I'll close this out in favour of bug 1221647.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Component: Integration → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•