Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Unified Diff: appengine/swarming/swarming_bot/bot_code/bot_auth.py

Issue 2958853002: Propagate name of system service account to the bot. (Closed)
Patch Set: Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « appengine/swarming/handlers_bot_test.py ('k') | appengine/swarming/swarming_bot/bot_code/bot_auth_test.py » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: appengine/swarming/swarming_bot/bot_code/bot_auth.py
diff --git a/appengine/swarming/swarming_bot/bot_code/bot_auth.py b/appengine/swarming/swarming_bot/bot_code/bot_auth.py
index ee5e7a4ea8aef9ff9bb7d58fcedac7132df0cf6d..8620abb079266169684902d1c0f651d5c3582063 100644
--- a/appengine/swarming/swarming_bot/bot_code/bot_auth.py
+++ b/appengine/swarming/swarming_bot/bot_code/bot_auth.py
@@ -26,10 +26,18 @@ AuthParams = collections.namedtuple('AuthParams', [
# Unix timestamp of when swarming_http_headers expire, or 0 if unknown.
'swarming_http_headers_exp',
- # Indicates the service account the task runs as. One of:
- # - 'none' if the task shouldn't use any authentication at all.
- # - 'bot' if the task should use bot's own service account.
- # - <email> if the task is using service acccount via delegation token.
+ # Indicates the service account to use for internal bot processes. One of:
+ # - 'none' to not use authentication at all.
+ # - 'bot' to use whatever bot is using to authenticate itself to Swarming.
+ # - <email> to get tokens through API calls to Swarming.
+ 'system_service_account',
+
+ # Indicates the service account the task runs as. Same range of values as for
+ # 'system_service_account'.
+ #
+ # It is distinct from 'system_service_account' to allow user-supplied payloads
+ # to use a service account also supplied by the user (and not the one used
+ # internally by the bot).
'task_service_account',
])
@@ -49,10 +57,14 @@ def prepare_auth_params_json(bot, manifest):
bot: instance of bot.Bot.
manifest: dict with the task manifest, as generated by the backend in /poll.
"""
+ def account(acc_id):
+ acc = (manifest.get('service_accounts') or {}).get(acc_id) or {}
+ return acc.get('service_account') or 'none'
return {
'swarming_http_headers': bot.remote.get_authentication_headers(),
'swarming_http_headers_exp': bot.remote.authentication_headers_expiration,
- 'task_service_account': manifest.get('service_account') or 'none',
+ 'system_service_account': account('system'),
+ 'task_service_account': account('task'),
}
@@ -86,12 +98,17 @@ def process_auth_params_json(val):
# UnicodeEncodeError, which is subclass of ValueError.
headers = {str(k): str(v) for k, v in headers.iteritems()}
- acc = val.get('task_service_account') or 'none'
- if not isinstance(acc, basestring):
- raise ValueError(
- 'Expecting "task_service_account" to be a string, got %r' % (acc,))
+ def read_account(key):
+ acc = val.get(key) or 'none'
+ if not isinstance(acc, basestring):
+ raise ValueError('Expecting "%s" to be a string, got %r' % (key, acc))
+ return str(acc)
- return AuthParams(headers, exp, str(acc))
+ return AuthParams(
+ swarming_http_headers=headers,
+ swarming_http_headers_exp=exp,
+ system_service_account=read_account('system_service_account'),
+ task_service_account=read_account('task_service_account'))
class AuthSystem(object):
@@ -154,8 +171,16 @@ class AuthSystem(object):
reader.stop()
raise AuthSystemError('Cannot parse bot_auth_params.json: %s' % e)
- # If using task auth, launch local HTTP server that serves tokens (let OS
- # assign the port).
+ logging.info('Using following service accounts:')
+ logging.info(' system: %s', params.system_service_account)
+ logging.info(' task: %s', params.task_service_account)
+
+ # If using service accounts, launch local HTTP server that serves tokens
+ # (let OS assign the port).
+ #
+ # TODO(vadimsh): Launch local auth server if using 'system' account (or both
+ # 'system' and 'task') too. This can be done only once all processes that
+ # inherit LUCI_CONTEXT know about 'system' and 'task' accounts distinction.
server = None
local_auth_context = None
if params.task_service_account != 'none':
« no previous file with comments | « appengine/swarming/handlers_bot_test.py ('k') | appengine/swarming/swarming_bot/bot_code/bot_auth_test.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698