Create a "sudo" mechanism to allow deliberate, MFA-protected access to administrative scopes



2 years ago
4 months ago


(Reporter: dustin, Unassigned)



Background in this thread:!topic/

The general idea is a "sudo:...:<scope>" scope which can, via authenticating to the login service and providing MFA, be exchanged for credentials with elevated scopes matching the sudo scopes.

The advantages are:

 - admins must deliberately request these scopes (by name - you don't automatically get all of the sudo scopes)
 - resulting credentials can be very short-lived (hours)
 - the escalation operation can be logged, notified via pulse, and/or alerted on
 - it's clear in the scope explorer who has only *administrative* access to certain scopes, vs. "regular" access
 - useful for other teams, not just us
 - we get MFA without relying on Auth0/Okta
We talked about this briefly at dinner last night, and decided that the costs in terms of complexity mean that we should not do this right now.  I did forget to mention some of the advantages above, though.

The immediate need is that we not be doing day-to-day operations with `assume:*`, as it's too easy for us to accidentally cause major damage, either to our own systems or to releng, nss, servo, etc -- we're basically root at all of those.

The alternative is to reduce our LDAP-associated scopes, and instead create "permacreds" that we can use for our administrative needs.  We will need some support in the tools interface for storing both "normal" and admin credentials and flipping between them without copy/pasting credentials.
Assignee: dustin → nobody
Component: Authentication → Discussion
I think this will get folded into
Last Resolved: 2 years ago
Resolution: --- → FIXED


4 months ago
Product: Taskcluster → Taskcluster Graveyard
You need to log in before you can comment on or make changes to this bug.