introduce auth:manage-scope:<scope>

RESOLVED INVALID

Status

RESOLVED INVALID
3 years ago
10 months ago

People

(Reporter: jonasfj, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
Scope:   "auth:manage-scope:<scope>"
Concept: Grants authority to manage a scope namespace
Actions:
  - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any role
  - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any client
Use-case:
    We can give people pieces of scoped authority that we entrust them manage
    and delegate to other people.
    Examples:
    - releng gets: "auth:manage-scope:releng-api:*"
    - ateam gets:  "auth:manage-scope:treeherder:*"
    - releng gets: "auth:manage-scope:signing:*"
    - releng gets:   "auth:manage-scope:funsize:*"
    - releng gets:  "auth:manage-scope:queue:route:index.gecko.v2.*"
 With this pattern people or groups of people gets:
  * the priviledge of being able to delegate scopes, and
  * the responsibility of having to revoke them from people too.

The real argument is TC admins shouldn't use their * scope to grant people
access to a service like balrog.

For details see:
https://public.etherpad-mozilla.org/p/jonasfj-auth-delegation-project-roles-rambling
I think this has been superseded by some further thinking on role granting.  At any rate, that deserves an RFC.
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.