LogDog should manage PubSub ACLs itself based on a group in chrome-infra-auth |
|||||
Issue descriptionManually clicking buttons in Pantheon each time we need to add or remove an account that uploads logs is very inconvenient. This is going to be a bigger problem once we start running tasks in a context of various service accounts (there'll be many accounts). We already have 'writer_auth_groups' config. Logdog can list all service accounts specified there and add them to PubSub IAM policy. To cleanup, it can list all accounts in the IAM policy and removes the ones that are no longer mentioned by 'writer_auth_groups'.
,
Apr 6 2017
So the idea here would be to run a cron task, say, every minute, and have it: 1) Create a single IAM policy for publishing. 2) In a cron job, every (say) minute: 2a) Load latest auth for all publishers. 2b) Load IAM policy, diff account list, add/update accounts, write policy. Actually, is this something "chrome-infra-auth" could do automatically? It already owns the accounts and knows when things change. What if we could bind CIA groups to IAM policies?
,
Apr 6 2017
> 1) Create a single IAM policy for publishing.
Not sure what you mean by that. It seems Logdog currently requires all butlers to have "PubSub Publisher" and "PubSub Viewer" in projects/luci-logdog/topics/logs topic. We need to programmatically start managing IAM policy of 'projects/luci-logdog/topics/logs' object. It is currently managed by button clicking in Pantheon.
> 2) In a cron job, every (say) minute:
> 2a) Load latest auth for all publishers.
> 2b) Load IAM policy, diff account list, add/update accounts, write policy.
The problem with this approach is that strictly speaking there's no way to list all members of a group (because we support globs).
Alternatively, coordinator can add new accounts to the policy when handling prefix registration RPC:
1. RegisterPrefix RPC comes in.
2. Logdog does ACL check (as usual), using IsGroupMember.
3. Logdog checks that the account has correct role in IAM policy for the topic. Updates the policy if not. (This check can be easily cached).
4. Periodically, a cron fetches existing IAM policy for the topic, enumerates all accounts there, and verifies (again, using IsGroupMember) that all accounts belong to some authorized Logdog write groups.
> Actually, is this something "chrome-infra-auth" could do automatically? It already owns the accounts and knows when things change. What if we could bind CIA groups to IAM policies?
This seems like a premature generalization to me. It will require inventing some general config language to describe {set of CIA groups -> IAM role bindings} relations, and logdog will be the only customer. I'm opposed to this idea unless we have at least two use cases.
,
Apr 6 2017
I see, thanks for responding. Makes sense.
,
Jun 22 2017
,
Jun 22 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 26 2018
Vadim, can you re-triage this bug, please?
,
Jun 26 2018
I still think it is a valuable feature to have. We learned to manually click buttons when adding new accounts (because stuff doesn't work), but I highly doubt we remove no longer active accounts for PubSub ACL. This should happen automatically. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by vadimsh@chromium.org
, Apr 6 2017