LM 325 mdm script support for user attribution#6
Open
Mahesh-Kete wants to merge 3 commits into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
LM-325: MDM script support for user attribution in Package Firewall
What & why
Adds user attribution to the Package Firewall MDM scripts so every package-install
request is traceable to the individual developer/machine that triggered it — without
issuing per-user API keys. The org keeps using its single shared API key; the only
change is that the generated scripts now bake a per-machine identity into the Basic-auth
username, which the firewall decodes and stamps onto the log as User.
Closes LM-325 (epic LM-304 / initiative PC-455). Backend decode landed in LM-326.
How it works
The generated scripts compute the attributed username at install time on the
developer's machine (where MDM runs them):
The firewall's
decodeAttributedUsername()unwraps the label, authenticates with thereal API key (so auth is unchanged and fully backward-compatible — a plain username
passes through untouched), and records the label on the firewall log.
userattr:(matchesauth.goonmain).<console-user>@<machine>an authz signal.
What changed
bash/templates/attribution.sh/powershell/templates/envvars.ps1compute the attributed username + derivedcredentials (
ENDOR_ATTR_USER,ENDOR_AUTH_B64,ENDOR_PYPI_URL,ENDOR_GO_PROXY_URL).lib/common.sh/lib/common.ps1(
endor_attr_username,endor_urlenc_b64,endor_host_label, and PS equivalents).only exists on the dev machine, so credentials can no longer be precomputed.
read
${ENDOR_*}; pip/uv/go bake the literal value since they can't expand env vars).strict-ssl=falseauto-added for a localhost FQDN.Testing
Verified end-to-end against a local endorfactory (
localhost:8086, namespaceparent)across all four ecosystems. Same blocked packages, baseline vs. attribution:
is-odd@3.0.1-mrkete@C02N3JXH76tinytag==1.10.1-mrkete@C02N3JXH76github.com/google/uuid@v1.3.1-mrkete@C02N3JXH76junit:junit:4.13.2-mrkete@C02N3JXH76Without user attribution (baseline /


main):With user attribution (this PR):

For powershell Windows. (With and without in Same Image tested in staging env demo-environment.test-user-attribution)

Notes / follow-ups