Closed Bug 1490843 Opened 7 years ago Closed 7 years ago

Please add scope to aklotz's identity

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bugzilla, Unassigned)

References

Details

Please add scope: generic-worker:os-group:aws-provisioner-v1/gecko-1-b-win2012/Administrators to login identity: mozilla-auth0/ad|Mozilla-LDAP|aklotz
I granted the scope. It looks per https://wiki.mozilla.org/ReleaseEngineering/How_To/Self_Provision_a_TaskCluster_Windows_Instance like this is the recommended approach, but I don't think we want to be holding debugging up waiting for a service request like this, nor do we want to be issuing all manner of one-off scopes to individual users. Pete, please let me know if I should have done something differently; otherwise, let's keep this open to remove the role when no longer needed. https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla-auth0%2Fad|Mozilla-LDAP|aklotz
Flags: needinfo?(pmoore)
Hmm, despite following the relevant steps in the guide, my username was not added to the Administrators group. :-(
Dustin, I no longer require this scope. Feel free to remove. Thanks!
Flags: needinfo?(dustin)
done.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #1) > I granted the scope. It looks per > https://wiki.mozilla.org/ReleaseEngineering/How_To/ > Self_Provision_a_TaskCluster_Windows_Instance like this is the recommended > approach, but I don't think we want to be holding debugging up waiting for a > service request like this, nor do we want to be issuing all manner of > one-off scopes to individual users. > > Pete, please let me know if I should have done something differently; > otherwise, let's keep this open to remove the role when no longer needed. > > https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla- > auth0%2Fad|Mozilla-LDAP|aklotz The issue is that as soon as someone is Administrator on a Windows machine, they have full reign over it, including access to any secrets it has. We could arguably grant all users of scm level 1 access this scope, but this feels suboptimal. It also introduces the possibility that people can make system changes to workers that are in a production pool. We can discuss a better solution, I'm just not sure what that is at the moment.
Flags: needinfo?(pmoore)
Thanks -- as long as this is the current best approach, I'm happy :)
Component: Service Request → Operations and Service Requests
You need to log in before you can comment on or make changes to this bug.