New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629581 link

Starred by 2 users
Status: WontFix
Owner:
xixuan@chromium.org
Closed: Aug 29
Cc:
fdeng@chromium.org
akes...@chromium.org
vadimsh@chromium.org
sbasi@chromium.org
mar...@chromium.org
kevcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Use oauth2 to authenticate with chromeos-proxy

Project Member Reported by fdeng@chromium.org, Jul 19 2016 
Currently, chromeos buildbots call swarming_client.py to schedule suites. And chromeos-server22 and chromeos-server31 are running as swarming bots to pick up suite requests. Currently, these servers authenticate with chromeos-proxy using a IP whitelist  .

It would be nice to authenticate with oauth2 and deprecate the IP whitelist 

There are two places where authentication happens:
1) Client <-> server. Use "swarming.py --auth-service-account-json <path to JSON file with private key>".
2) Bot <-> server. 

There's new bot_config.py hook: get_authentication_headers

You would need to implement it so that it returns a pair ({"Authorization": "Bearer <access token>"}, <token expiration timestamp>).

To get an access token you'd need to deploy service account JSON file (with the private key) and periodically use it to grab access token. There are many ways to do this. One of the simplest is to use "authutil token -service-account-json <path> -lifetime 10m", 


Also, we may need to have PyCrypto or PyOpenSSL installed on the machines.

Comment 1 by fdeng@chromium.org, Jul 19 2016

Cc: fdeng@chromium.org akes...@chromium.org sbasi@chromium.org kevcheng@chromium.org
Components: Infra>Client>ChromeOS
Labels: -Pri-3 OS-Chrome Pri-2
Owner: ----
This is not urgent for us, but Chrome Infra team would like to get rid of the IP whitelist. And I think it is a good idea to do (reduce the cost of maintaining the IP whitelist)

I don't have spare cycle to do this this quarter. cc akeshet@ and sbasi@ for planning, maybe a fix-it candidate.

Comment 2 by aut...@google.com, Jul 19 2016

Labels: Hotlist-Fixit

Comment 3 by mar...@chromium.org, Apr 10 2017

Cc: vadimsh@chromium.org mar...@chromium.org
Components: Infra>Platform>Swarming
Because all of chromeos-proxy doesn't use isolate is is now possible to switch them to luci_token.

Comment 4 by akes...@chromium.org, Mar 20 2018

Owner: xixuan@chromium.org
Is this still relevant?

Comment 5 by mar...@chromium.org, Mar 20 2018 

Yes :)

Comment 6 by mar...@chromium.org, Jun 21 2018

Components: -Infra>Platform>Swarming Infra>Platform>Swarming>Admin

Comment 7 by benhenry@chromium.org, Aug 2

Status: Assigned (was: Available)

Comment 8 by xixuan@chromium.org, Aug 29

Status: WontFix (was: Assigned)
After skylab, I'm not sure whether chromeos-proxy is not used anymore. So mark it as wontfix for now. We can reopen it if we switch to use this proxy after skylab.

Sign in to add a comment