Closed
Bug 1402152
Opened 7 years ago
Closed 7 years ago
Use temporary credentials from claimWork, reclaimTask in reclaimTask, createArtifact, reportCompleted
Categories
(Taskcluster :: Workers, enhancement)
Taskcluster
Workers
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jonasfj, Assigned: pmoore)
References
Details
Attachments
(1 file)
queue.claimWork and queue.reclaimWork returns temporary credentials with sufficient scopes to:
A) Operate on the task, that is:
- reclaimTask
- createArtifact
- reportCompleted, reportFailed, reportException
B) Cover task.scopes, such that a client with authorizedScopes = task.scopes
can be used by the task to run arbitrary requests.
(DO NOT let tasks use the temporary credentials without limiting to task.scopes)
generic-worker is currently not doing this, I suspect it's a bug:
https://github.com/taskcluster/generic-worker/blob/c91adbc9fc65c28b3c9e76da1fb0f7f84a69eebf/taskstatus.go#L117
Should probably just say:
task.Queue.ReclaimTask
(also the might be some locking of task.Queue required, not sure how that works.
|
Assignee | |
Comment 1•7 years ago
|
||
Nice spot, thanks Jonas! Locking shouldn't be required in this case, as generic-worker creates task.Queue on task initialisation in the main go routine, before other go routines are spawned that access it. Therefore there should be no races. Making a patch now.
|
|
Assignee | |
Comment 2•7 years ago
|
||
Attachment #8911717 -
Flags: review?(jopsen)
|
Reporter | |
Comment 3•7 years ago
|
||
Comment on attachment 8911717 [details] [review] Github Pull Request for generic-worker Awesome, thanks for fixing this. Note: A) Check that you are using these credentials for uploading artifacts B) Look into removing a lot of credentials from various workers you've deployed
Attachment #8911717 -
Flags: review?(jopsen) → review+
|
||
Comment 4•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/generic-worker https://github.com/taskcluster/generic-worker/commit/18ee7b435e01d4689a820dbe830d38f29881d1af Bug 1402152 - use creds returned from claimWork to reclaim and resolve tasks https://github.com/taskcluster/generic-worker/commit/9c8ddef5c11f27441a675a86334634060381c822 Merge pull request #66 from taskcluster/bug1402152 Bug 1402152 - use creds returned from claimWork to reclaim and resolve tasks
|
|
Assignee | |
Comment 5•7 years ago
|
||
Released in https://github.com/taskcluster/generic-worker/releases/tag/v10.2.3
|
|
Assignee | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: Generic-Worker → Workers
You need to log in
before you can comment on or make changes to this bug.
Description
•