Closed Bug 1341797 Opened 9 years ago Closed 6 years ago

per-branch credentials

Categories

(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)

Product:
Release Engineering Graveyard
Component:
Applications: Balrog (backend)
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mozilla, Unassigned)

References

Details

(Whiteboard: [lang=python][ready])

In buildbot-land, we had production balrog creds and non-production balrog creds, and production balrog creds could do anything with balrog's api. In TC scriptworker, we're trying to restrict behaviors based on scopes and CoT. For instance, beetmover release shouldn't be able to push to the nightly bucket/paths and vice versa. We may restrict that further in the future: candidates vs release, or even temp creds or tokens to only allow pushing to VERSION-candidates/buildN/. If it's feasible, let's look at something similar for balrog. On mozilla-beta we don't foresee a need to be able to push to the esr, nightly, aurora, or release channels (aiui). If we had mozilla-beta specific credentials, we could restrict its permissions to only pushing to mozilla-beta specific channels, and leaked or compromised creds would have slightly less disastrous results. I'm thinking we'd have nightly, aurora, beta, release, and esr categories of perms for Firefox. Those might include *test channels for the existing release process. Until we have those, we can restrict how we use the production creds on the balrog scriptworker side. Having that check on both sides may be even better in terms of security.
I think this would be very similar to what we did for product-specific permissions in https://bugzilla.mozilla.org/show_bug.cgi?id=1194277. If we were able to specify a list of products and a list of channels in a permission's options, we could easily limit an account to eg: Firefox beta, beta-cdntest, and beta-localtest channels.
Priority: -- → P3
Whiteboard: [lang=python][ready]
See Also: → 1353949

Is this still relevant? Perhaps we want different credentials for level 1 vs level 3? If so, let's open a github issue for this.

Flags: needinfo?(aki)

Hm. Level 1 would be staging balrog, meaning we already have those separated, no?
I think we've come to the conclusion that stricter access controls like this may add some amount of security, at a maintenance cost that we can't justify. I'm going to resolve WONTFIX. If level 1 isn't staging balrog, we can open an issue.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(aki)
Resolution: --- → WONTFIX
Product: Release Engineering → Release Engineering Graveyard
You need to log in before you can comment on or make changes to this bug.