[tor-bugs] #30510 [Circumvention/Snowflake]: Share access to the Snowflake broker domain front CDN configuration (was: Share access to the Snowflake domain front CDN configuration)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 7 01:42:42 UTC 2020 

#30510: Share access to the Snowflake broker domain front CDN configuration
-------------------------------------+-----------------------------------
 Reporter:  dcf                      |          Owner:  (none)
     Type:  task                     |         Status:  needs_information
 Priority:  Medium                   |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+-----------------------------------
Changes (by dcf):

 * status:  new => needs_information


Old description:

> Currently dcf is the only one who can manage the CDN configuration used
> for domain fronting. If a change needs to be made, he's the only one who
> can do it. If he's not available for an extended time, the only
> workaround would be to set up a new CDN configuration and push out a new
> release that uses it.
>
> To reduce the risk, more people should have access to the CDN
> configuration. So either:
> 1. dcf figures out how to delegate admin access on Azure to other
> Microsoft accounts, or
> 2. we move the CDN configuration or set up a new one that allows shared
> access.

New description:

 Currently dcf is the only one who can manage the CDN configuration used
 for domain fronting the broker. (snowflake-broker.azureedge.net→snowflake-
 broker.bamsoftware.com.) If a change needs to be made, he's the only one
 who can do it. If he's not available for an extended time, the only
 workaround would be to set up a new CDN configuration and push out a new
 release that uses it.

 To reduce the risk, more people should have access to the CDN
 configuration. So either:
 1. dcf figures out how to delegate admin access on Azure to other
 Microsoft accounts, or
 2. we move the CDN configuration or set up a new one that allows shared
 access.

--

Comment:

 I started looking into this. It is not easy to come to grips with all the
 Azure documentation, but I think what I have to do is:
  1. [https://docs.microsoft.com/en-us/azure/active-directory/fundamentals
 /add-users-azure-active-directory Add a new user to Azure Active
 Directory]
  2. [https://docs.microsoft.com/en-us/azure/role-based-access-control
 /role-assignments-portal Give the new user a role assignment]

 I think the invited user can be any email address; it doesn't necessarily
 have to be a Microsoft account.

 What I need at this point: email addresses from Snowflake maintainers that
 they want to use to manage the Azure CDN configuration. You can send it to
 me in private signed email.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30510#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list