Closed
Bug 1256387
Opened 8 years ago
Closed 6 years ago
introduce auth:manage-scope:<scope>
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: jonasfj, Unassigned)
Details
Scope: "auth:manage-scope:<scope>" Concept: Grants authority to manage a scope namespace Actions: - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any role - Add/remove <scope> and/or auth:manage-scope:<scope> to/from any client Use-case: We can give people pieces of scoped authority that we entrust them manage and delegate to other people. Examples: - releng gets: "auth:manage-scope:releng-api:*" - ateam gets: "auth:manage-scope:treeherder:*" - releng gets: "auth:manage-scope:signing:*" - releng gets: "auth:manage-scope:funsize:*" - releng gets: "auth:manage-scope:queue:route:index.gecko.v2.*" With this pattern people or groups of people gets: * the priviledge of being able to delegate scopes, and * the responsibility of having to revoke them from people too. The real argument is TC admins shouldn't use their * scope to grant people access to a service like balrog. For details see: https://public.etherpad-mozilla.org/p/jonasfj-auth-delegation-project-roles-rambling
Comment 1•6 years ago
|
||
I think this has been superseded by some further thinking on role granting. At any rate, that deserves an RFC.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Assignee | ||
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•