Closed
Bug 1218555
Opened 9 years ago
Closed 9 years ago
Limit scopes for index.taskcluster.net
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
yMbwoZvhRout3T_Fr7h4Ng - ### Imported: index.taskcluster.net
Credentails for `index.taskcluster.net`
*
That's too broad. Figure out what API calls index is making (if any) and set up scopes for those calls.
|
||
Comment 1•9 years ago
|
||
Agree... It does forward requests for artifacts... Note: I changed it to use tc-index yesterday.
|
Assignee | |
Comment 2•9 years ago
|
||
Yep, my read says it only needs queue:get-artifact:* (since it builds signed URLs for queue.getLatestArtifact). Concur? Anything else I could do to verify that before cutting it down?
Flags: needinfo?(jopsen)
|
|
||
Comment 3•9 years ago
|
||
Also needs azure table access, so: queue:get-artifact:* auth:azure-table-access:taskclusterindexv1/IndexedTasks auth:azure-table-access:taskclusterindexv1/Namespaces The component uses these to get temp SAS creds from auth, so it doesn't actually have azure credentials hardcoded into it's heroku config (this is very nice, and reduces both config and attack surface).
Flags: needinfo?(jopsen)
|
|
Assignee | |
Comment 4•9 years ago
|
||
landed
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•