Closed
Bug 1254759
Opened 8 years ago
Closed 8 years ago
Unnamed temp credentials with issuerId seem not to respect scope expansion
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: pmoore, Assigned: pmoore)
References
Details
This was an HTTP request made: POST /v1/task/Z_ZL1B1BQZWaGF8BWjG27A/define HTTP/1.1 Host: queue.taskcluster.net Authorization: Hawk id="garbage/BIvlCDrWRQKZYQYsuOdkWA", mac="*****", ts="1457479789", nonce="*****", ext="*****" Content-Type: application/json { "provisionerId": "win-provisioner", "workerType": "win2008-worker", "schedulerId": "go-test-test-scheduler", "taskGroupId": "OtioOl9VSY2hDOipuh4HXA", "routes": [ "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163", "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163" ], "priority": "high", "retries": 5, "created": "2016-03-08T23:29:49.159Z", "deadline": "2016-03-09T23:29:49.159Z", "expires": "2016-03-09T23:29:49.159Z", "scopes": [ "test-worker:image:toastposter/pumpkin:0.5.6" ], "payload": { "features": { "relengApiProxy": true } }, "metadata": { "description": "Stuff", "name": "[TC] Pete", "owner": "pmoore@mozilla.com", "source": "http://everywhere.com/" }, "tags": { "createdForUser": "cbook@mozilla.com" }, "extra": { "index": { "rank": 12345 } } } This is the decoded (and formatted and obfuscated) ext value in the Authorization header: { "certificate":{ "version":1, "scopes":[ "auth:azure-table-access:fakeaccount/DuMmYtAbLe", "queue:define-task:win-provisioner/win2008-worker", "queue:get-artifact:private/build/sources.xml", "queue:route:tc-treeherder.mozilla-inbound.*", "queue:route:tc-treeherder-stage.mozilla-inbound.*", "queue:task-priority:high", "test-worker:image:toastposter/pumpkin:0.5.6" ], "start":1457479489159, "expiry":1457483389159, "seed":"*****", "signature":"*****", "issuer":"mozilla-ldap/pmoore@mozilla.com/dev" } } The HTTP response received was: { "code": "AuthenticationFailed", "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\n----\nerrorCode: AuthenticationFailed\nstatusCode: 401\nrequestInfo:\n method: defineTask\n params: {\"taskId\":\"Z_ZL1B1BQZWaGF8BWjG27A\"}\n payload: {\n \"provisionerId\": \"win-provisioner\",\n \"workerType\": \"win2008-worker\",\n \"schedulerId\": \"go-test-test-scheduler\",\n \"taskGroupId\": \"OtioOl9VSY2hDOipuh4HXA\",\n \"routes\": [\n \"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\",\n \"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\"\n ],\n \"priority\": \"high\",\n \"retries\": 5,\n \"created\": \"2016-03-08T23:29:49.159Z\",\n \"deadline\": \"2016-03-09T23:29:49.159Z\",\n \"expires\": \"2016-03-09T23:29:49.159Z\",\n \"scopes\": [\n \"test-worker:image:toastposter/pumpkin:0.5.6\"\n ],\n \"payload\": {\n \"features\": {\n \"relengApiProxy\": true\n }\n },\n \"metadata\": {\n \"description\": \"Stuff\",\n \"name\": \"[TC] Pete\",\n \"owner\": \"pmoore@mozilla.com\",\n \"source\": \"http://everywhere.com/\"\n },\n \"tags\": {\n \"createdForUser\": \"cbook@mozilla.com\"\n },\n \"extra\": {\n \"index\": {\n \"rank\": 12345\n }\n }\n}\n time: 2016-03-08T23:29:49.258Z\ndetails:\n{\n \"status\": \"auth-failed\",\n \"message\": \"ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\"\n}", "requestInfo": { "method": "defineTask", "params": { "taskId": "Z_ZL1B1BQZWaGF8BWjG27A" }, "payload": { "provisionerId": "win-provisioner", "workerType": "win2008-worker", "schedulerId": "go-test-test-scheduler", "taskGroupId": "OtioOl9VSY2hDOipuh4HXA", "routes": [ "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163", "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163" ], "priority": "high", "retries": 5, "created": "2016-03-08T23:29:49.159Z", "deadline": "2016-03-09T23:29:49.159Z", "expires": "2016-03-09T23:29:49.159Z", "scopes": [ "test-worker:image:toastposter/pumpkin:0.5.6" ], "payload": { "features": { "relengApiProxy": true } }, "metadata": { "description": "Stuff", "name": "[TC] Pete", "owner": "pmoore@mozilla.com", "source": "http://everywhere.com/" }, "tags": { "createdForUser": "cbook@mozilla.com" }, "extra": { "index": { "rank": 12345 } } }, "time": "2016-03-08T23:29:49.258Z" }, "details": { "status": "auth-failed", "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes" } } The formatted message looks like: ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes ---- errorCode: AuthenticationFailed statusCode: 401 requestInfo: method: defineTask params: {"taskId":"Z_ZL1B1BQZWaGF8BWjG27A"} payload: { "provisionerId": "win-provisioner", "workerType": "win2008-worker", "schedulerId": "go-test-test-scheduler", "taskGroupId": "OtioOl9VSY2hDOipuh4HXA", "routes": [ "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163", "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163" ], "priority": "high", "retries": 5, "created": "2016-03-08T23:29:49.159Z", "deadline": "2016-03-09T23:29:49.159Z", "expires": "2016-03-09T23:29:49.159Z", "scopes": [ "test-worker:image:toastposter/pumpkin:0.5.6" ], "payload": { "features": { "relengApiProxy": true } }, "metadata": { "description": "Stuff", "name": "[TC] Pete", "owner": "pmoore@mozilla.com", "source": "http://everywhere.com/" }, "tags": { "createdForUser": "cbook@mozilla.com" }, "extra": { "index": { "rank": 12345 } } } time: 2016-03-08T23:29:49.258Z details: { "status": "auth-failed", "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes" } This appears to be a bug, since defineTask requires: * queue:define-task:<provisionerId>/<workerType>, or * queue:create-task:<provisionerId>/<workerType>, or * (queue:define-task:<provisionerId>/<workerType> and queue:task-group-id:<schedulerId>/<taskGroupId>) and clientId `mozilla-ldap/pmoore@mozilla.com/dev` has "queue:*" and the unnamed temporary credentials of the request have "queue:define-task:win-provisioner/win2008-worker"
Comment 1•8 years ago
|
||
The issuer, mozilla-ldap/pmoore@mozilla.com/dev, has assume:* auth:* aws-provisioner:* docker-worker:* hooks:* index:* project:* purge-cache:* queue:* scheduler:* secrets:* but the temporary credentials specify "auth:azure-table-access:fakeaccount/DuMmYtAbLe", "queue:define-task:win-provisioner/win2008-worker", "queue:get-artifact:private/build/sources.xml", "queue:route:tc-treeherder.mozilla-inbound.*", "queue:route:tc-treeherder-stage.mozilla-inbound.*", "queue:task-priority:high", "test-worker:image:toastposter/pumpkin:0.5.6" and the issuer doesn't satisfy test-worker:image:toastposter/pumpkin:0.5.6
Assignee: nobody → pmoore
Assignee | ||
Comment 2•8 years ago
|
||
Whoops, thanks Dustin!
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•