Given a scope, optionally with a trailing '*', it should be possible to find all roles that provide that scope either directly or indirectly via expanded scopes. Personally I prefer creating an endpoint to provide this functionality so that tools can use this feature, rather than just interactive-users via a web interface. Also creating an endpoint rather than a client-side tool means the implementation can be much more efficient than requiring all roles to be transmitted over http and scopes expanded. Lastly it encourages consistency, since there would be only one canonical implementation. Ideally we'd create an endpoint that takes a list of scopes, and for each scope provided, returns a list of roles that satisfy that scope. We should also then provide a means to hit this endpoint via tools.taskcluster.net web interface on the roles page.
I don't think this should be in the auth service -- it's complicated enough already, and all of the information required to determine this is already easily available. I think this should be implemented client-side, preferably in tcadmin. Something like tcadmin has-scope 'aws-provisioner:manage-worker-type:garbage-*' ideally this would scan both clients and roles. The listRoles endpoint provides expanded role scopes, making this pretty lightweight. There's some complexity with the implementation, and a little ambiguity of meaning around * expansion in roles, but nothing too difficult.
It looks like https://tools.taskcluster.net/auth/scopes/ provides this?
Indeed, good eye!
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.