Use oauth2 to authenticate with chromeos-proxy |
|||||||
Issue description
Currently, chromeos buildbots call swarming_client.py to schedule suites. And chromeos-server22 and chromeos-server31 are running as swarming bots to pick up suite requests. Currently, these servers authenticate with chromeos-proxy using a IP whitelist .
It would be nice to authenticate with oauth2 and deprecate the IP whitelist
There are two places where authentication happens:
1) Client <-> server. Use "swarming.py --auth-service-account-json <path to JSON file with private key>".
2) Bot <-> server.
There's new bot_config.py hook: get_authentication_headers
You would need to implement it so that it returns a pair ({"Authorization": "Bearer <access token>"}, <token expiration timestamp>).
To get an access token you'd need to deploy service account JSON file (with the private key) and periodically use it to grab access token. There are many ways to do this. One of the simplest is to use "authutil token -service-account-json <path> -lifetime 10m",
Also, we may need to have PyCrypto or PyOpenSSL installed on the machines.
,
Jul 19 2016
,
Apr 10 2017
Because all of chromeos-proxy doesn't use isolate is is now possible to switch them to luci_token.
,
Mar 20 2018
Is this still relevant?
,
Mar 20 2018
Yes :)
,
Jun 21 2018
,
Aug 2
,
Aug 29
After skylab, I'm not sure whether chromeos-proxy is not used anymore. So mark it as wontfix for now. We can reopen it if we switch to use this proxy after skylab. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by fdeng@chromium.org
, Jul 19 2016Components: Infra>Client>ChromeOS
Labels: -Pri-3 OS-Chrome Pri-2
Owner: ----