Closed Bug 1402152 Opened 8 years ago Closed 8 years ago

Use temporary credentials from claimWork, reclaimTask in reclaimTask, createArtifact, reportCompleted

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jonasfj, Assigned: pmoore)

References

Details

Attachments

(1 file)

Github Pull Request for generic-worker
53 bytes, text/x-github-pull-request
jonasfj
: review+
Details | Review
queue.claimWork and queue.reclaimWork returns temporary credentials with sufficient scopes to: A) Operate on the task, that is: - reclaimTask - createArtifact - reportCompleted, reportFailed, reportException B) Cover task.scopes, such that a client with authorizedScopes = task.scopes can be used by the task to run arbitrary requests. (DO NOT let tasks use the temporary credentials without limiting to task.scopes) generic-worker is currently not doing this, I suspect it's a bug: https://github.com/taskcluster/generic-worker/blob/c91adbc9fc65c28b3c9e76da1fb0f7f84a69eebf/taskstatus.go#L117 Should probably just say: task.Queue.ReclaimTask (also the might be some locking of task.Queue required, not sure how that works.
Blocks: 1401596
Nice spot, thanks Jonas! Locking shouldn't be required in this case, as generic-worker creates task.Queue on task initialisation in the main go routine, before other go routines are spawned that access it. Therefore there should be no races. Making a patch now.
Attachment #8911717 - Flags: review?(jopsen)
Comment on attachment 8911717 [details] [review] Github Pull Request for generic-worker Awesome, thanks for fixing this. Note: A) Check that you are using these credentials for uploading artifacts B) Look into removing a lot of credentials from various workers you've deployed
Attachment #8911717 - Flags: review?(jopsen) → review+
Commits pushed to master at https://github.com/taskcluster/generic-worker https://github.com/taskcluster/generic-worker/commit/18ee7b435e01d4689a820dbe830d38f29881d1af Bug 1402152 - use creds returned from claimWork to reclaim and resolve tasks https://github.com/taskcluster/generic-worker/commit/9c8ddef5c11f27441a675a86334634060381c822 Merge pull request #66 from taskcluster/bug1402152 Bug 1402152 - use creds returned from claimWork to reclaim and resolve tasks
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: Generic-Worker → Workers
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: