1254346 - Scope for v1.gecko not accessible using task-creator

Status: RESOLVED FIXED

(Taskcluster :: Services, defect)

Description

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

1. git clone https://github.com/nhirata/gecko-dev -b non_dogfood-dogfood_build
2. cd gecko-dev
3. ./mach taskcluster-build --head-repo=https://github.com/nhirata/gecko-dev --head-rev=non_dogfood-dogfood_build --owner=nhirata@mozilla.com tasks/builds/b2g_aries_spark_dogfood.yml | sed -e 's/0\.0\.24/0.99.22/'
4. copy template into task creator, remove cache lines, add repo
expected : works
actual: 
403:  You do not have sufficient scopes. This request requires you to have one of the following sets of scopes: [ [ "queue:route:index.gecko.v1..revision.linux.non_dogfood-dogfood_build.aries-dogfood.debug", "queue:route:index.gecko.v1..latest.linux.aries-dogfood.debug" ] ] You only have the scopes: [ "assume:hook-id:garbage/*", "assume:moz-tree:level:1", "assume:moz-tree:level:2", "assume:moz-tree:level:3", "assume:mozilla-group:scm_level_1", "assume:mozilla-group:scm_level_2", "assume:mozilla-group:scm_level_3", "assume:mozilla-group:team_moco", "assume:mozilla-user:nhirata@mozilla.com", "assume:worker-id:*", "auth:create-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:create-role:*", "auth:delete-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:reset-access-token:mozilla-ldap/nhirata@mozilla.com/*", "auth:update-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:update-role:*", "docker-worker:cache:level-1-*", "docker-worker:cache:level-2-*", "docker-worker:cache:level-3-*", "docker-worker:cache:tooltool-cache", "docker-worker:capability:device:loopbackAudio", "docker-worker:capability:device:loopbackVideo", "docker-worker:capability:device:phone", "docker-worker:capability:privileged", "docker-worker:feature:allowPtrace", "docker-worker:feature:balrogVPNProxy", "docker-worker:image:quay.io/mozilla/builder:*", "docker-worker:image:quay.io/mozilla/decision:*", "docker-worker:image:taskcluster/builder:*", "docker-worker:image:taskcluster/tester:*", "docker-worker:image:taskclusterprivate/phone-builder:*", "docker-worker:image:taskclusterprivate/taskcluster-vpn-proxy:*", "docker-worker:image:taskclusterprivate/tester-device:*", "docker-worker:image:taskclusterprivate/upload_symbols:*", "docker-worker:relengapi-proxy:tooltool.download.internal", "docker-worker:relengapi-proxy:tooltool.download.public", "hooks:modify-hook:garbage/*", "queue:create-task:aws-provisioner-v1/ami-test*", "queue:create-task:aws-provisioner-v1/android-api-*", "queue:create-task:aws-provisioner-v1/b2g-desktop-*", "queue:create-task:aws-provisioner-v1/b2gbuild*", "queue:create-task:aws-provisioner-v1/b2gtest*", "queue:create-task:aws-provisioner-v1/balrog", "queue:create-task:aws-provisioner-v1/build-c4-2xlarge", "queue:create-task:aws-provisioner-v1/dbg-*", "queue:create-task:aws-provisioner-v1/desktop-test*", "queue:create-task:aws-provisioner-v1/dolphin", "queue:create-task:aws-provisioner-v1/emulator-*", "queue:create-task:aws-provisioner-v1/flame-kk*", "queue:create-task:aws-provisioner-v1/gecko-decision", "queue:create-task:aws-provisioner-v1/mulet-debug", "queue:create-task:aws-provisioner-v1/mulet-opt", "queue:create-task:aws-provisioner-v1/opt-*", "queue:create-task:aws-provisioner-v1/rustbuild", "queue:create-task:aws-provisioner-v1/spidermonkey", "queue:create-task:aws-provisioner-v1/symbol-upload", "queue:create-task:aws-provisioner-v1/taskcluster-images", "queue:create-task:aws-provisioner-v1/test-c4-2xlarge", "queue:create-task:aws-provisioner-v1/testdroid-device", "queue:create-task:aws-provisioner-v1/win2012r2", "queue:create-task:aws-provisioner-v1/y-2012", "queue:define-task:aws-provisioner-v1/build-c4-2xlarge", "queue:define-task:aws-provisioner-v1/taskcluster-images", "queue:define-task:aws-provisioner-v1/test-c4-2xlarge", "queue:get-artifact:private/*", "queue:rerun-task", "queue:resolve-task", "scheduler:create-task-graph", "scheduler:extend-task-graph", "secrets:get:project/releng/gecko/build/api-keys" ] In other words you are missing scopes from one of the options: * Option 0: - "queue:route:index.gecko.v1..revision.linux.non_dogfood-dogfood_build.aries-dogfood.debug", and - "queue:route:index.gecko.v1..latest.linux.aries-dogfood.debug" ---- errorCode: InsufficientScopes statusCode: 403 requestInfo: method: createTask params: {"taskId":"YznMHpmzS5KuWwheQlNbxw"} payload: { "workerType": "balrog", "scopes": [ "docker-worker:image:taskclusterprivate/phone-builder:0.99.22" ], "tags": { "createdForUser": "nhirata@mozilla.com" }, "extra": { "build_product": "b2g", "index": { "rank": null }, "treeherderEnv": [ "production", "staging" ], "locations": { "tests": "private/build/gaia.zip", "mar": "public/build/b2g-aries-gecko-update.mar", "img": "private/build/aries.zip", "symbols": "private/build/b2g-crashreporter-symbols.zip", "sources": "private/build/sources.xml", "build": "private/build/b2g-android-arm.tar.gz" }, "build_name": "aries-dogfood", "treeherder": { "machine": { "platform": "b2g-device-image" }, "groupName": "Aries Device Image", "groupSymbol": "Aries-DogFood", "symbol": "B", "collection": { "debug": true } }, "build_type": "debug" }, "created": "2016-03-07T20:40:09.443Z", "schedulerId": "task-graph-scheduler", "deadline": "2016-03-08T20:40:09.469Z", "routes": [ "index.gecko.v1..revision.linux.non_dogfood-dogfood_build.aries-dogfood.debug", "index.gecko.v1..latest.linux.aries-dogfood.debug" ], "payload": { "maxRunTime": 14400, "image": "taskclusterprivate/phone-builder:0.99.22", "artifacts": { "private/build": { "path": "/home/worker/artifacts/", "expires": "2017-03-07T20:40:09.474074Z", "type": "directory" }, "public/build": { "path": "/home/worker/artifacts-public/", "expires": "2017-03-07T20:40:09.474173Z", "type": "directory" } }, "command": [ "checkout-gecko workspace && cd ./workspace/gecko/testing/taskcluster/scripts/phone-builder && buildbot_step 'Build' ./build-phone-ota.sh $HOME/workspace\n" ], "env": { "MOZ_BUILD_DATE": "20160212150237", "TARGET": "aries", "GECKO_HEAD_REV": "non_dogfood-dogfood_build", "VARIANT": "userdebug", "MOZHARNESS_CONFIG": "b2g/taskcluster-spark-dogfood.py", "DEBUG": 0, "GECKO_BASE_REPOSITORY": "https://github.com/nhirata/gecko-dev", "MOZILLA_OFFICIAL": "1", "GECKO_HEAD_REPOSITORY": "https://github.com/nhirata/gecko-dev", "REPO_TRACE": 1, "GECKO_HEAD_REF": "non_dogfood-dogfood_build", "ENABLE_DEFAULT_BOOTANIMATION": "true", "B2G_UPDATER": "1", "B2G_UPDATE_CHANNEL": "nightly" } }, "provisionerId": "aws-provisioner-v1", "metadata": { "owner": "mozilla-taskcluster-maintenance@mozilla.com", "source": "https://github.com/nhirata/gecko-dev", "description": "Android phones + b2g environment used in full stack testing.\n", "name": "[TC] B2G Aries Dogfood" }, "priority": "normal", "retries": 5, "taskGroupId": "YznMHpmzS5KuWwheQlNbxw", "expires": "2017-03-08T20:40:09.469Z" } time: 2016-03-07T20:41:47.486Z details: { "scopesets": [ [ "queue:route:index.gecko.v1..revision.linux.non_dogfood-dogfood_build.aries-dogfood.debug", "queue:route:index.gecko.v1..latest.linux.aries-dogfood.debug" ] ], "scopes": [ "assume:hook-id:garbage/*", "assume:moz-tree:level:1", "assume:moz-tree:level:2", "assume:moz-tree:level:3", "assume:mozilla-group:scm_level_1", "assume:mozilla-group:scm_level_2", "assume:mozilla-group:scm_level_3", "assume:mozilla-group:team_moco", "assume:mozilla-user:nhirata@mozilla.com", "assume:worker-id:*", "auth:create-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:create-role:*", "auth:delete-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:reset-access-token:mozilla-ldap/nhirata@mozilla.com/*", "auth:update-client:mozilla-ldap/nhirata@mozilla.com/*", "auth:update-role:*", "docker-worker:cache:level-1-*", "docker-worker:cache:level-2-*", "docker-worker:cache:level-3-*", "docker-worker:cache:tooltool-cache", "docker-worker:capability:device:loopbackAudio", "docker-worker:capability:device:loopbackVideo", "docker-worker:capability:device:phone", "docker-worker:capability:privileged", "docker-worker:feature:allowPtrace", "docker-worker:feature:balrogVPNProxy", "docker-worker:image:quay.io/mozilla/builder:*", "docker-worker:image:quay.io/mozilla/decision:*", "docker-worker:image:taskcluster/builder:*", "docker-worker:image:taskcluster/tester:*", "docker-worker:image:taskclusterprivate/phone-builder:*", "docker-worker:image:taskclusterprivate/taskcluster-vpn-proxy:*", "docker-worker:image:taskclusterprivate/tester-device:*", "docker-worker:image:taskclusterprivate/upload_symbols:*", "docker-worker:relengapi-proxy:tooltool.download.internal", "docker-worker:relengapi-proxy:tooltool.download.public", "hooks:modify-hook:garbage/*", "queue:create-task:aws-provisioner-v1/ami-test*", "queue:create-task:aws-provisioner-v1/android-api-*", "queue:create-task:aws-provisioner-v1/b2g-desktop-*", "queue:create-task:aws-provisioner-v1/b2gbuild*", "queue:create-task:aws-provisioner-v1/b2gtest*", "queue:create-task:aws-provisioner-v1/balrog", "queue:create-task:aws-provisioner-v1/build-c4-2xlarge", "queue:create-task:aws-provisioner-v1/dbg-*", "queue:create-task:aws-provisioner-v1/desktop-test*", "queue:create-task:aws-provisioner-v1/dolphin", "queue:create-task:aws-provisioner-v1/emulator-*", "queue:create-task:aws-provisioner-v1/flame-kk*", "queue:create-task:aws-provisioner-v1/gecko-decision", "queue:create-task:aws-provisioner-v1/mulet-debug", "queue:create-task:aws-provisioner-v1/mulet-opt", "queue:create-task:aws-provisioner-v1/opt-*", "queue:create-task:aws-provisioner-v1/rustbuild", "queue:create-task:aws-provisioner-v1/spidermonkey", "queue:create-task:aws-provisioner-v1/symbol-upload", "queue:create-task:aws-provisioner-v1/taskcluster-images", "queue:create-task:aws-provisioner-v1/test-c4-2xlarge", "queue:create-task:aws-provisioner-v1/testdroid-device", "queue:create-task:aws-provisioner-v1/win2012r2", "queue:create-task:aws-provisioner-v1/y-2012", "queue:define-task:aws-provisioner-v1/build-c4-2xlarge", "queue:define-task:aws-provisioner-v1/taskcluster-images", "queue:define-task:aws-provisioner-v1/test-c4-2xlarge", "queue:get-artifact:private/*", "queue:rerun-task", "queue:resolve-task", "scheduler:create-task-graph", "scheduler:extend-task-graph", "secrets:get:project/releng/gecko/build/api-keys" ] }

Comment 1

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Removing the routing scopes makes it work, but then it's not accessible via the routes on taskcluster.

Comment 2

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

I'm not sure what the scope is suppose to be and which routes should I be able to change?

Comment 3

[Dustin J. Mitchell [:dustin] (he/him)]

Are you logged in via LDAP when making this request, or using your permacreds?

Comment 4

[Dustin J. Mitchell [:dustin] (he/him)]

Looks like you are.  I do see
  queue:route:index.gecko.v1..revision.linux.non_dogfood-dogfood_build.aries-dogfood.debug
which doesn't look right, as <project> is empty.  At any rate, the gecko.v1.<project> routes are only granted to the repositories themselves, e.g.,
  https://tools.taskcluster.net/auth/roles/#repo:hg.mozilla.org%252fmozilla-central:*
this is intentional: if you are creating tasks by hand, we do not want those to pollute the index (which should only contain automation tasks).

So, you should be able to submit the resulting task if you strip the `index` property from it.

Comment 5

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

So that means that you can't access it by index, meaning if you lost the ID, then it's basically lost?  Sounds to me like dereferencing a pointer without deleting setting the pointer to null; basically taking up storage and not knowing how to get to it.

Comment 6

[Dustin J. Mitchell [:dustin] (he/him)]

Well, if you can't access it by the index, *and* you've lost the ID, then you'll have a hard time finding the task, yes.  It's OK, though, they're garbage collected.