Closed
Bug 1375197
Opened 7 years ago
Closed 6 years ago
[aws-provisioner] Remove support for worker type secrets from AWS provisioner
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pmoore, Assigned: dustin)
References
Details
(Whiteboard: good-first-bug)
Once bug 1375195 has been completed, we should be safe to remove support for worker type secrets from the provisioner.
I'd prefer to do this before making worker types publicly viewable, since it solves the race-condition problem that we validate no worker types are using secrets, then during the process of making the worker types publicly world-readable, a new worker type is added e.g. from an old template, that suddenly exposes confidential secrets. This is quite a realistic disclosure possibility, and therefore by removing the feature before exposing the worker type definitions, we are sure no secrets exist.
|
Reporter | |
Updated•7 years ago
|
Summary: Remove support for worker type secrets from AWS provisioner → [aws-provisioner] Remove support for worker type secrets from AWS provisioner
|
|
Reporter | |
Updated•7 years ago
|
Assignee: nobody → pmoore
|
|
Reporter | |
Comment 1•7 years ago
|
||
Will look at this soon...
|
||
Comment 2•6 years ago
|
||
Having this implemented would be great, especially since we're doing work to derive taskcluster credentials from instance identity documents. These credentials aren't planned to have support for provisioner secrets.
|
|
||
Comment 3•6 years ago
|
||
This should be done as a part of the worker-manager transition. Since we'll deprecate the aws-provisioner codebase in favour of the worker manager, we should do the work in this bug. That said, we should still work through bug 1375200 and bug 1375201
Component: AWS-Provisioner → Generic-Worker
QA Contact: pmoore
|
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 5•6 years ago
|
||
reopening this bug, removing worker secrets shouldn't be too difficult from the aws-provisioner codebase, so we should probably consider doing it.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Component: Generic-Worker → Workers
|
|
Reporter | |
Updated•6 years ago
|
Component: Workers → Services
|
|
Reporter | |
Updated•6 years ago
|
Assignee: pmoore → nobody
|
|
Reporter | |
Updated•6 years ago
|
Whiteboard: good-first-bug
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → dustin
|
|
Assignee | |
Comment 6•6 years ago
|
||
|
|
Assignee | |
Updated•6 years ago
|
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•