Closed
Bug 1509027
Opened 6 years ago
Closed 5 years ago
Restrict Servo scopes for Treeherder
Categories
(Taskcluster :: Operations and Service Requests, task)
Taskcluster
Operations and Service Requests
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: SimonSapin, Assigned: dustin)
Details
TL;DR: following up on bug 1507512 let’s, in order: * Grant these scopes to Servo admin: queue:route:tc-treeherder.v2._/servo-* queue:route:tc-treeherder-staging.v2._/servo-* * Then I will land a pull request in Servo to switch to using them * Then remove the scopes: queue:route:tc-treeherder.v2.servo/* queue:route:tc-treeherder-staging.v2.servo/* ------ Bakckground: https://docs.taskcluster.net/docs/reference/integrations/taskcluster-treeherder documents the routes used as: <treeherder destination>.v2.<project>.<revision>.<push/pullrequest ID> With: > Note: Github repos should use the project form of <user>/<project> > to be recognized as a github source. This suggests that <user> is the GitHub username or organization name of that owns the repository, and <project> the name of the repository on GitHub. On this basis, in bug 1507512 I asked to be granted the scopes: queue:route:tc-treeherder.v2.servo/* queue:route:tc-treeherder-staging.v2.servo/* … hoping that this would restrict access to repositories owned by the Servo organization on GitHub. Indeed, when a slash is present in the route the taskcluster-treeherder integration service splits on that separator and writes the two strings in the "owner" and "project" parts of the message sent to Treeherder. https://github.com/taskcluster/taskcluster-treeherder/blob/4b7e9f61b1e056604f808462d88bf3861c41f303/src/util/route_parser.js#L26-L27 https://github.com/taskcluster/taskcluster-treeherder/blob/4b7e9f61b1e056604f808462d88bf3861c41f303/src/handler.js#L256 https://github.com/mozilla/treeherder/blob/c27a05b022b94fa90e49c914615e759366bf25ee/schemas/pulse-job.yml#L73-L85 However, when Treeherder receives that message, it ignores the "owner" field entirely. So the current scopes in fact grant access to push job/task data to any Treeherder "repository" backed by GitHub! https://github.com/mozilla/treeherder/blob/c27a05b022b94fa90e49c914615e759366bf25ee/treeherder/etl/job_loader.py#L50 The "project" field is not the GitHub name of the repository, but the name of what is known as a repository in Treeherder’s configuration and is in fact a branch. We’ve recently added multiple such entries name `servo-<branch name>`, for example `servo-auto` for the `auto` branch of github.com/servo/servo. https://github.com/mozilla/treeherder/pull/4249 While the consequences are not overly dramatic, let’s not keep scopes that are not needed and restrict them to "project" names that start with `servo-`.
|
Reporter | |
Comment 1•6 years ago
|
||
I meant to add: since the "owner" field (the part before the slash in the route) is unused and we’re changing the scopes anyway, let’s make it the underscore (it cannot be the empty string) rather than something Servo-specific. That makes one less parameter to make configurable in Servo’s `decisionlib.py` which is intended to be usable by other projects.
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → dustin
|
|
Assignee | |
Comment 2•5 years ago
|
||
https://tools.taskcluster.net/auth/roles/project%3Aservo%3Agrants%2Fservo-routes should do the trick!
|
|
Assignee | |
Comment 3•5 years ago
|
||
Please reopen if I missed something..
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 4•5 years ago
|
||
Thanks! I’ve landed https://github.com/servo/servo/pull/22382 to use the new routes, and now removed the grant to the old (more general) ones.
Status: RESOLVED → VERIFIED
|
||
Updated•5 years ago
|
Component: Service Request → Operations and Service Requests
You need to log in
before you can comment on or make changes to this bug.
Description
•