Ubuntu CI Engine

Kill ~/.ubuntu-ci

  1. Series mthood
  2. Bug #1288710
Bug #1288710 reported by Evan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CI Engine
Fix Released
Medium
Para Siva
Ubuntu CI Engine uce-0
Mthood
New
Undecided
Unassigned
Ubuntu CI Engine phase-1

Bug Description

This will be fixed in three parts:
 - Creating a component to upload files on behalf of CLI, to remove the need of swift credentials on the client side. This is already done.
 - Adding support to the CLI to talk to the gatekeeper component instead of uploading files by itself. This is in progress.
 - Making ciairline.ubuntu.com (or the like) the default ci_url, with an option on the CLI to override it.

Original report follows:

12:29 PM <ev> auth_user, auth_password, auth_region, auth_url, auth_tenant_name - these are specific to swift. Letting them leak out to the developers is dangerous, given that those same credentials could remove everything we've stored. Some other component should hold these and proxy requests to Swift when creating a new ticket.
12:30 PM <ev> ci_url - should default to airline.ubuntu.com (or whatever we call it) and be overridden by a command line parameter

The component proxying requests to swift or the ticket system should validate the signature of the upload and discard the data if it's not valid or does not match an approved list. This will help to prevent a malicious user from flooding swift.

See original description
Tags: airline
Evan (ev)
description: updated
Revision history for this message
Evan (ev) wrote :

We'll also need to come up with a plan for how to securely get private images out of Swift. GPG sign the request in the case of the CLI, and sync to SSO in the case of the webui? The latter has the disadvantage of further binding us to LP unless we make the OpenID provider configurable at the charm level.

Andy Doan (doanac)
Changed in ubuntu-ci-services-itself:
milestone: backlog → phase-1
Ursula Junque (ursinha)
Changed in uci-engine:
importance: Undecided → Low
milestone: none → phase-1
Revision history for this message
Evan (ev) wrote :

Ursula, I'm giving this to you. If you don't have the time to balance it against the stand-alone LP integration work, let me know and we can work something out.

Giving it to you because it will require changes to the CLI, which you and Chris Johnston know the most about right now.

no longer affects: ubuntu-ci-services-itself
Changed in uci-engine:
milestone: phase-1 → uce-0
importance: Low → Medium
status: New → Triaged
assignee: nobody → Ursula Junque (ursinha)
description: updated
Revision history for this message
Ursula Junque (ursinha) wrote :

The most important part of this bug is removing swift credentials from the user's machine, and this is accomplished by having the Gatekeeper as the component that talks to it. cprov has a branch in progress to add Gatekeeper support on the CLI, and once that lands we will only "need" the ubuntu-ci file to have the URL to reach gatekeeper.

Changed in uci-engine:
assignee: Ursula Junque (ursinha) → Celso Providelo (cprov)
status: Triaged → In Progress
Ursula Junque (ursinha)
description: updated
description: updated
Celso Providelo (cprov)
Changed in uci-engine:
assignee: Celso Providelo (cprov) → Parameswaran Sivatharman (psivaa)
status: In Progress → Fix Committed
Vincent Ladeuil (vila)
Changed in uci-engine:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.