| Index: appengine/swarming/swarming_bot/bot_code/bot_auth.py
|
| diff --git a/appengine/swarming/swarming_bot/bot_code/bot_auth.py b/appengine/swarming/swarming_bot/bot_code/bot_auth.py
|
| index ee5e7a4ea8aef9ff9bb7d58fcedac7132df0cf6d..8620abb079266169684902d1c0f651d5c3582063 100644
|
| --- a/appengine/swarming/swarming_bot/bot_code/bot_auth.py
|
| +++ b/appengine/swarming/swarming_bot/bot_code/bot_auth.py
|
| @@ -26,10 +26,18 @@ AuthParams = collections.namedtuple('AuthParams', [
|
| # Unix timestamp of when swarming_http_headers expire, or 0 if unknown.
|
| 'swarming_http_headers_exp',
|
|
|
| - # Indicates the service account the task runs as. One of:
|
| - # - 'none' if the task shouldn't use any authentication at all.
|
| - # - 'bot' if the task should use bot's own service account.
|
| - # - <email> if the task is using service acccount via delegation token.
|
| + # Indicates the service account to use for internal bot processes. One of:
|
| + # - 'none' to not use authentication at all.
|
| + # - 'bot' to use whatever bot is using to authenticate itself to Swarming.
|
| + # - <email> to get tokens through API calls to Swarming.
|
| + 'system_service_account',
|
| +
|
| + # Indicates the service account the task runs as. Same range of values as for
|
| + # 'system_service_account'.
|
| + #
|
| + # It is distinct from 'system_service_account' to allow user-supplied payloads
|
| + # to use a service account also supplied by the user (and not the one used
|
| + # internally by the bot).
|
| 'task_service_account',
|
| ])
|
|
|
| @@ -49,10 +57,14 @@ def prepare_auth_params_json(bot, manifest):
|
| bot: instance of bot.Bot.
|
| manifest: dict with the task manifest, as generated by the backend in /poll.
|
| """
|
| + def account(acc_id):
|
| + acc = (manifest.get('service_accounts') or {}).get(acc_id) or {}
|
| + return acc.get('service_account') or 'none'
|
| return {
|
| 'swarming_http_headers': bot.remote.get_authentication_headers(),
|
| 'swarming_http_headers_exp': bot.remote.authentication_headers_expiration,
|
| - 'task_service_account': manifest.get('service_account') or 'none',
|
| + 'system_service_account': account('system'),
|
| + 'task_service_account': account('task'),
|
| }
|
|
|
|
|
| @@ -86,12 +98,17 @@ def process_auth_params_json(val):
|
| # UnicodeEncodeError, which is subclass of ValueError.
|
| headers = {str(k): str(v) for k, v in headers.iteritems()}
|
|
|
| - acc = val.get('task_service_account') or 'none'
|
| - if not isinstance(acc, basestring):
|
| - raise ValueError(
|
| - 'Expecting "task_service_account" to be a string, got %r' % (acc,))
|
| + def read_account(key):
|
| + acc = val.get(key) or 'none'
|
| + if not isinstance(acc, basestring):
|
| + raise ValueError('Expecting "%s" to be a string, got %r' % (key, acc))
|
| + return str(acc)
|
|
|
| - return AuthParams(headers, exp, str(acc))
|
| + return AuthParams(
|
| + swarming_http_headers=headers,
|
| + swarming_http_headers_exp=exp,
|
| + system_service_account=read_account('system_service_account'),
|
| + task_service_account=read_account('task_service_account'))
|
|
|
|
|
| class AuthSystem(object):
|
| @@ -154,8 +171,16 @@ class AuthSystem(object):
|
| reader.stop()
|
| raise AuthSystemError('Cannot parse bot_auth_params.json: %s' % e)
|
|
|
| - # If using task auth, launch local HTTP server that serves tokens (let OS
|
| - # assign the port).
|
| + logging.info('Using following service accounts:')
|
| + logging.info(' system: %s', params.system_service_account)
|
| + logging.info(' task: %s', params.task_service_account)
|
| +
|
| + # If using service accounts, launch local HTTP server that serves tokens
|
| + # (let OS assign the port).
|
| + #
|
| + # TODO(vadimsh): Launch local auth server if using 'system' account (or both
|
| + # 'system' and 'task') too. This can be done only once all processes that
|
| + # inherit LUCI_CONTEXT know about 'system' and 'task' accounts distinction.
|
| server = None
|
| local_auth_context = None
|
| if params.task_service_account != 'none':
|
|
|