Closed Bug 1375165 Opened 8 years ago Closed 6 years ago

Replace worker configuration "runTasksAsCurrentUser" with task feature "runAsWorkerUser"

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pmoore, Unassigned)

References

Details

This is a tracker bug for implementing and rolling out this feature. Until now, in order to support worker CI, we created a worker configuration setting "runTasksAsCurrentUser" that would cause tasks running on that worker type not to run as an isolated OS task user created especially for that task, but instead to run as the same OS user that the generic-worker process is running as. This is needed by the generic-worker CI itself since the CI launches generic-worker processes, and they need to run in the same security context as a real generic-worker would (e.g. on Windows this means running as LocalSystem under a windows service). The downside of this approach is it means we need to maintain and support additional worker types. Instead, this could be a task feature, protected by a scope. We can still create separate worker types if we decide not to accept the security risk of allowing privileged tasks to run on the same workers as non-privileged tasks, or even disable the feature via a separate worker type configuration setting - but implementing as a task feature gives us the opportunity to manage few worker types, and choose whether we want pool separation or not. This is just a tracking bug for the migration - the individual work items will sit underneath this bug as dependencies.
Depends on: 1375170
Depends on: 1375171
Depends on: 1375175
QA Contact: pmoore
Work continues in dependent bugs.
Closing - see bug 1375170 comment 2 for context.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Component: Generic-Worker → Workers
You need to log in before you can comment on or make changes to this bug.