Closed
Bug 1254759
Opened 8 years ago
Closed 8 years ago
Unnamed temp credentials with issuerId seem not to respect scope expansion
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: pmoore, Assigned: pmoore)
References
Details
This was an HTTP request made:
POST /v1/task/Z_ZL1B1BQZWaGF8BWjG27A/define HTTP/1.1
Host: queue.taskcluster.net
Authorization: Hawk id="garbage/BIvlCDrWRQKZYQYsuOdkWA", mac="*****", ts="1457479789", nonce="*****", ext="*****"
Content-Type: application/json
{
"provisionerId": "win-provisioner",
"workerType": "win2008-worker",
"schedulerId": "go-test-test-scheduler",
"taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
"routes": [
"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
],
"priority": "high",
"retries": 5,
"created": "2016-03-08T23:29:49.159Z",
"deadline": "2016-03-09T23:29:49.159Z",
"expires": "2016-03-09T23:29:49.159Z",
"scopes": [
"test-worker:image:toastposter/pumpkin:0.5.6"
],
"payload": {
"features": {
"relengApiProxy": true
}
},
"metadata": {
"description": "Stuff",
"name": "[TC] Pete",
"owner": "pmoore@mozilla.com",
"source": "http://everywhere.com/"
},
"tags": {
"createdForUser": "cbook@mozilla.com"
},
"extra": {
"index": {
"rank": 12345
}
}
}
This is the decoded (and formatted and obfuscated) ext value in the Authorization header:
{
"certificate":{
"version":1,
"scopes":[
"auth:azure-table-access:fakeaccount/DuMmYtAbLe",
"queue:define-task:win-provisioner/win2008-worker",
"queue:get-artifact:private/build/sources.xml",
"queue:route:tc-treeherder.mozilla-inbound.*",
"queue:route:tc-treeherder-stage.mozilla-inbound.*",
"queue:task-priority:high",
"test-worker:image:toastposter/pumpkin:0.5.6"
],
"start":1457479489159,
"expiry":1457483389159,
"seed":"*****",
"signature":"*****",
"issuer":"mozilla-ldap/pmoore@mozilla.com/dev"
}
}
The HTTP response received was:
{
"code": "AuthenticationFailed",
"message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\n----\nerrorCode: AuthenticationFailed\nstatusCode: 401\nrequestInfo:\n method: defineTask\n params: {\"taskId\":\"Z_ZL1B1BQZWaGF8BWjG27A\"}\n payload: {\n \"provisionerId\": \"win-provisioner\",\n \"workerType\": \"win2008-worker\",\n \"schedulerId\": \"go-test-test-scheduler\",\n \"taskGroupId\": \"OtioOl9VSY2hDOipuh4HXA\",\n \"routes\": [\n \"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\",\n \"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\"\n ],\n \"priority\": \"high\",\n \"retries\": 5,\n \"created\": \"2016-03-08T23:29:49.159Z\",\n \"deadline\": \"2016-03-09T23:29:49.159Z\",\n \"expires\": \"2016-03-09T23:29:49.159Z\",\n \"scopes\": [\n \"test-worker:image:toastposter/pumpkin:0.5.6\"\n ],\n \"payload\": {\n \"features\": {\n \"relengApiProxy\": true\n }\n },\n \"metadata\": {\n \"description\": \"Stuff\",\n \"name\": \"[TC] Pete\",\n \"owner\": \"pmoore@mozilla.com\",\n \"source\": \"http://everywhere.com/\"\n },\n \"tags\": {\n \"createdForUser\": \"cbook@mozilla.com\"\n },\n \"extra\": {\n \"index\": {\n \"rank\": 12345\n }\n }\n}\n time: 2016-03-08T23:29:49.258Z\ndetails:\n{\n \"status\": \"auth-failed\",\n \"message\": \"ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\"\n}",
"requestInfo": {
"method": "defineTask",
"params": {
"taskId": "Z_ZL1B1BQZWaGF8BWjG27A"
},
"payload": {
"provisionerId": "win-provisioner",
"workerType": "win2008-worker",
"schedulerId": "go-test-test-scheduler",
"taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
"routes": [
"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
],
"priority": "high",
"retries": 5,
"created": "2016-03-08T23:29:49.159Z",
"deadline": "2016-03-09T23:29:49.159Z",
"expires": "2016-03-09T23:29:49.159Z",
"scopes": [
"test-worker:image:toastposter/pumpkin:0.5.6"
],
"payload": {
"features": {
"relengApiProxy": true
}
},
"metadata": {
"description": "Stuff",
"name": "[TC] Pete",
"owner": "pmoore@mozilla.com",
"source": "http://everywhere.com/"
},
"tags": {
"createdForUser": "cbook@mozilla.com"
},
"extra": {
"index": {
"rank": 12345
}
}
},
"time": "2016-03-08T23:29:49.258Z"
},
"details": {
"status": "auth-failed",
"message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes"
}
}
The formatted message looks like:
ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes
----
errorCode: AuthenticationFailed
statusCode: 401
requestInfo:
method: defineTask
params: {"taskId":"Z_ZL1B1BQZWaGF8BWjG27A"}
payload: {
"provisionerId": "win-provisioner",
"workerType": "win2008-worker",
"schedulerId": "go-test-test-scheduler",
"taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
"routes": [
"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
],
"priority": "high",
"retries": 5,
"created": "2016-03-08T23:29:49.159Z",
"deadline": "2016-03-09T23:29:49.159Z",
"expires": "2016-03-09T23:29:49.159Z",
"scopes": [
"test-worker:image:toastposter/pumpkin:0.5.6"
],
"payload": {
"features": {
"relengApiProxy": true
}
},
"metadata": {
"description": "Stuff",
"name": "[TC] Pete",
"owner": "pmoore@mozilla.com",
"source": "http://everywhere.com/"
},
"tags": {
"createdForUser": "cbook@mozilla.com"
},
"extra": {
"index": {
"rank": 12345
}
}
}
time: 2016-03-08T23:29:49.258Z
details:
{
"status": "auth-failed",
"message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes"
}
This appears to be a bug, since defineTask requires:
* queue:define-task:<provisionerId>/<workerType>, or
* queue:create-task:<provisionerId>/<workerType>, or
* (queue:define-task:<provisionerId>/<workerType> and queue:task-group-id:<schedulerId>/<taskGroupId>)
and clientId `mozilla-ldap/pmoore@mozilla.com/dev` has "queue:*"
and the unnamed temporary credentials of the request have "queue:define-task:win-provisioner/win2008-worker"
|
||
Comment 1•8 years ago
|
||
The issuer, mozilla-ldap/pmoore@mozilla.com/dev, has assume:* auth:* aws-provisioner:* docker-worker:* hooks:* index:* project:* purge-cache:* queue:* scheduler:* secrets:* but the temporary credentials specify "auth:azure-table-access:fakeaccount/DuMmYtAbLe", "queue:define-task:win-provisioner/win2008-worker", "queue:get-artifact:private/build/sources.xml", "queue:route:tc-treeherder.mozilla-inbound.*", "queue:route:tc-treeherder-stage.mozilla-inbound.*", "queue:task-priority:high", "test-worker:image:toastposter/pumpkin:0.5.6" and the issuer doesn't satisfy test-worker:image:toastposter/pumpkin:0.5.6
Assignee: nobody → pmoore
|
Assignee | |
Comment 2•8 years ago
|
||
Whoops, thanks Dustin!
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
||
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•