Closed
Bug 1312915
Opened 8 years ago
Closed 8 years ago
Create a "sudo" mechanism to allow deliberate, MFA-protected access to administrative scopes
Categories
(Taskcluster Graveyard :: Discussion, defect)
Taskcluster Graveyard
Discussion
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Unassigned)
Details
Background in this thread:
https://groups.google.com/forum/#!topic/mozilla.tools.taskcluster/MYuODP1r81Y
The general idea is a "sudo:...:<scope>" scope which can, via authenticating to the login service and providing MFA, be exchanged for credentials with elevated scopes matching the sudo scopes.
The advantages are:
- admins must deliberately request these scopes (by name - you don't automatically get all of the sudo scopes)
- resulting credentials can be very short-lived (hours)
- the escalation operation can be logged, notified via pulse, and/or alerted on
- it's clear in the scope explorer who has only *administrative* access to certain scopes, vs. "regular" access
- useful for other teams, not just us
- we get MFA without relying on Auth0/Okta
Reporter | ||
Comment 1•8 years ago
|
||
We talked about this briefly at dinner last night, and decided that the costs in terms of complexity mean that we should not do this right now. I did forget to mention some of the advantages above, though.
The immediate need is that we not be doing day-to-day operations with `assume:*`, as it's too easy for us to accidentally cause major damage, either to our own systems or to releng, nss, servo, etc -- we're basically root at all of those.
The alternative is to reduce our LDAP-associated scopes, and instead create "permacreds" that we can use for our administrative needs. We will need some support in the tools interface for storing both "normal" and admin credentials and flipping between them without copy/pasting credentials.
Reporter | ||
Updated•8 years ago
|
Assignee: dustin → nobody
Component: Authentication → Discussion
Reporter | ||
Comment 2•8 years ago
|
||
I think this will get folded into https://github.com/taskcluster/taskcluster-rfcs/issues/45
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 3•7 years ago
|
||
Updated•7 years ago
|
Product: Taskcluster → Taskcluster Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•