Closed Bug 1365372 Opened 7 years ago Closed 7 years ago

releng work for new Leanplum SDK private app tokens

Categories

(Infrastructure & Operations Graveyard :: CIDuty, task)

Product:
Infrastructure & Operations Graveyard
Component:
CIDuty
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(firefox55 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: kmoir, Assigned: aobreja, NeedInfo)

References

Details

(Whiteboard: [LP_M1])

Attachments

(2 files)

bug1365372_mozharness.patch
1.08 KB, text/plain
Details
Bug 1365372 - Add Leanplum SDK private app tokens
59 bytes, text/x-review-board-request
catlee
: review+
Details 
see bug 1365089 for details

Similar work was done in bug 1365089 

I know the buildduty folks have a lot on their plate now so just as a fyi this bug doesn't supercede existing work on your plate in terms of priority.
Blocks: 1365089
(In reply to Nevin Chen [:nechen] from comment #10)
> If you need the app_id and access_key for each channel. Please feel free to
> let me know.

Nevin: we will absolutely need to get kmoir the relevant token files for release, beta, and nightly.  You'll need to GPG encrypt them and send them to kmoir, like mfinkle did in https://bugzilla.mozilla.org/show_bug.cgi?id=1152871#c4.  kmoir's key is available at

https://gpg.mozilla.org/pks/lookup?search=kmoir%40mozilla.com

kmoir: the files can go in /build or wherever all the other tokens are, and then we can update the patches in Bug 1365089.
Flags: needinfo?(cnevinchen)
Probably someone from buildduty will do this work so I'm not sure using my key is the best path until someone is assigned this work.
I've sent out an email to Kim. If I did it wrong, please feel free to tell me.
Flags: needinfo?(cnevinchen)
Andrei would this be something you could look into once you are done with the security work?
Flags: needinfo?(aobreja)
Kim,sure I can take care of this bug,if is not that urgent I can check it next week after I come from PTO.

I have one question here (https://bugzilla.mozilla.org/show_bug.cgi?id=1152871#c5),where is hiera cache ,where I should add the tokens.
Flags: needinfo?(aobreja)
Assignee: nobody → aobreja
(In reply to Andrei Obreja [:aobreja][:buildduty] from comment #5)
> Kim,sure I can take care of this bug,if is not that urgent I can check it
> next week after I come from PTO.
> 
> I have one question here
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1152871#c5),where is hiera
> cache ,where I should add the tokens.

Hey, may I know the ETA of this?
It's quite urgent for us because it's a testing blocker.
w/o this the fennec nightly build doesn't have the LeanPlum SDK (Bug 1361664) functionality working at all.
My apology for keeping pushing, but this is essential to unblock testing.
We are aiming to have everything ready for testing by end of this week. Is that achievable ?
Flags: needinfo?(aobreja)
Andrei is on PTO until Thursday. 

What are the values for the tokens?

It looks like these are requested here

https://bugzilla.mozilla.org/show_bug.cgi?id=1365089#c17

We need the values before we can implement them in production.
Flags: needinfo?(aobreja)
I've sent out the email to you again. Please help verify. Thank you!
Flags: needinfo?(kmoir)
I won't be able to get to this bug, I have too much other work on my plate.  Andrei, can you make writing patches for this bug your first priority when you return to work tomorrow?  Bug 1152871 is an example of previous work that is similar to this request. However, we build Android on taskcluster now so there are probably changes required.
Flags: needinfo?(kmoir) → needinfo?(aobreja)
Hi Andrei
I've sent out an email with tokens to you. Please help verify:) Thanks!
So I talked to catlee about this bug today and mentioned that since we build on taskcluster, these secrets are stored here

https://tools.taskcluster.net/secrets/

You can see examples of the adjust.sdk tokens there, similar to what we will be doing for Leanplum sdk
Thank you! Kim!

But when I want to create a secret with name "/builds/leanplum-sdk.token"
It said "You do not have sufficient scopes. This request requires you to have one of the following sets of scopes"

What should I do? Thanks!
Flags: needinfo?(kmoir)
(In reply to Nevin Chen [:nechen] from comment #13)
> Thank you! Kim!
> 
btw, do you know what leve-2 and level-3 means? I can't find it in the document.
NI to Chris: 
Hey, is it possible to assign someone from RelEng to support this urgent task? It's no ideally efficient for Fennec front-end developer to spend hours trying to handle by their own.

NI Mike Han as he's the major stakeholder. This is a potential risk factor.
Flags: needinfo?(mhan)
Flags: needinfo?(catlee)
The secrets should be named something like this:

project/releng/gecko/build/level-2/adjust-sdk.token
project/releng/gecko/build/level-3/adjust-sdk-beta.token
project/releng/gecko/build/level-3/adjust-sdk-release.token

Level 2 / 3 refers to the trust level of the HG repository the builds are happening on.

mozilla-central, beta, and release are level3 repositories.

Do you need a separate token for try / inbound / autoland?
Flags: needinfo?(catlee)
Added leanplum-sdk-nightly-beta.token and leanplum-sdk-release.token for level 2 and level 3 on https://tools.taskcluster.net/secrets/
Flags: needinfo?(kmoir)
Flags: needinfo?(aobreja)
Attached file bug1365372_mozharness.patch — 
The patch to add the tokens on releng_base_android_64_builds.
Attachment #8871305 - Flags: review?(catlee)
Hi Andrei
Thanks for the support. 
According to comment 16, Should it be three entries like below? 
project/releng/gecko/build/level-2/adjust-sdk.token
project/releng/gecko/build/level-3/adjust-sdk-beta.token
project/releng/gecko/build/level-3/adjust-sdk-release.token


Thanks again for your help!
Flags: needinfo?(catlee)
(In reply to Chris AtLee [:catlee] from comment #16)
> The secrets should be named something like this:
> 
> 
> mozilla-central, beta, and release are level3 repositories.
> 
> Do you need a separate token for try / inbound / autoland?

Hi Chris, thank you for the promot reply. I don't really know why try / inbound / autoland should use separate token. So I guess it's not neccesarry? Since this libray(Leanplum) will charge us by how many use it. So I  want to restric to only let nightly, beta, and release build use those keys.
> According to comment 16, Should it be three entries like below? 
> project/releng/gecko/build/level-2/adjust-sdk.token
> project/releng/gecko/build/level-3/adjust-sdk-beta.token
> project/releng/gecko/build/level-3/adjust-sdk-release.token

Hi Nevin

you will have the bellow list:

project/releng/gecko/build/level-2/leanplum-sdk-nightly-beta.token
project/releng/gecko/build/level-2/leanplum-sdk-release.token
project/releng/gecko/build/level-3/leanplum-sdk-nightly-beta.token
project/releng/gecko/build/level-3/leanplum-sdk-release.token

A token for each case(nightly-beta and release)but we also need to push the patch from comment18 in order to work.
Hi Andrei.
Can you separate project/releng/gecko/build/level-3/leanplum-sdk-nightly-beta.token and make it 
project/releng/gecko/build/level-3/leanplum-sdk-beta.token
and
project/releng/gecko/build/level-3/leanplum-sdk-nightly.token
?
I may want to have the flexibility to separate nightly key and beta key in the future.
Flags: needinfo?(aobreja)
Comment on attachment 8871390 [details]
Bug 1365372 - Add Leanplum SDK private app tokens

https://reviewboard.mozilla.org/r/142866/#review146602
Attachment #8871390 - Flags: review?(catlee) → review+
Attachment #8871305 - Attachment is patch: false
Pushed by nechen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/297b1dcda856
Add Leanplum SDK private app tokens r=catlee
https://hg.mozilla.org/mozilla-central/rev/297b1dcda856
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
I'm writing down some notes here.

Our previous design is release use one api token, nightly and beta use another token.
pros:
Use Leanplum's "User attribute" to separate the users in Beta and Nightly. The user only need to maintain one message setting between Nightly and Beta in Leanplum backend. 

cons:
1. If we forget to set the target user in Nightly and Beta, there'll be ~200K Beta users affected.
2. Nightly and Beta have different code and bug, same Leanplum marketing setting may not fit everyone.
3. Leanplum message can target different user attribute, but don't know for other features yet (Push Notification/Vairaible/Onboarding UI)
4. I'm also not sure about the data presentation looks like in Leanplum Admin when Nightly and Beta User mixed together. There may be a way to distinquish that but I currently don't have the time to investigate.
5. It's easier to separate now. It'll be hard if we want to separate later.

Another approach is separate each Channel with different Leanplum App token. This will fix above issues but need to maintain the message list. 

In the last patch I provided(copy from Andrei's :p ) uses different secrets for different channels. But the content of those secret (Beta and Nightly) are the same. So the patch provide the flexibility to change them in the future without landing new code. We might want to update the secrets and make them link to different Leanplum App before Bug 1361664 get into beta.

Thank you all for your effort and kind support!
Flags: needinfo?(nalexander)
Flags: needinfo?(jcheng)
Flags: needinfo?(catlee)
Flags: needinfo?(aobreja)
Technical note first:

> In the last patch I provided(copy from Andrei's :p ) uses different secrets
> for different channels. But the content of those secret (Beta and Nightly)
> are the same. So the patch provide the flexibility to change them in the
> future without landing new code. We might want to update the secrets and
> make them link to different Leanplum App before Bug 1361664 get into beta.

I expect you will regret doing this.  Fennec users do not upgrade very quickly, so as soon as you switch the ID contents to separate Beta and Nightly, you will have users with {Nightly vOLD, beta-and-nightly-ID} and {Nightly vNEW, nightly-only-ID}.  So you have even more user populations that you need to manage.

jcheng: very shortly you will have three different code bases (one for each release channel), each of which you will want to experiment with (and hotfix!) independently.  I strongly recommend that you figure out how to target each channel independently _before_ you need to do so in a rush (to work around a bug, for example).

I see two options:

1) We allocate one Leanplum ID for all Mozilla products and trust that Leanplum's "User Attribute" or version targeting lets us control each release channel independently.

2) We allocate one Leanplum ID for each Mozilla release channel, and accept that Leanplum's analytics might not be intended to work across IDs in this way.

I do not know how Leanplum expects to be configured in this situation, but I do know you need to understand _exactly_ how you're going to handle this situation before we enable this code in any release channel.

In the meantime, I will ensure that the current patch is technically acceptable.
Flags: needinfo?(nalexander)
Over in https://treeherder.mozilla.org/#/jobs?repo=try&revision=02b1d0f489ef43815a5754ed66c76a50365672ea&selectedJob=102454766

I see:

[task 2017-05-26T19:37:25.839039Z] 19:37:25     INFO -  checking for the Leanplum SDK key... no
[task 2017-05-26T19:37:25.839215Z] 19:37:25     INFO -  ERROR: '/builds/leanplum-sdk-nightly.token': No such file or directory.

What am I doing wrong?
Flags: needinfo?(cnevinchen)
Flags: needinfo?(catlee)
https://hg.mozilla.org/mozilla-central/rev/297b1dcda856#l1.18 has

+        {'filename': '/builds/leanplum-sdk-nightly.token',

and I've just checked that my copy-pasta looks correct in the two places.
The file name looks correct to me. I don't know what's going on...
Flags: needinfo?(cnevinchen)
The way we have it set up involves a few components.

mozharness configs [1] specify what secret names to fetch from the TC secret service, and for which SCM level. The patch that landed specified no secrets were required for try.

mozconfig [2] specifies which token to use for which channel name.

Finally, the taskcluster secret service [3] hosts the tokens, protected by scopes appropriate to each SCM level.

Right now we have no level-1 tokens in Try, the mozconfigs aren't looking for try tokens, and mozharness isn't trying to download any tokens on try.

The approach used by the adjust SDK may be appropriate for Try? Have a dummy token in-tree that you can use in the absence of one of the real tokens?


[1] https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/configs/builds/releng_base_android_64_builds.py#41

[2] https://dxr.mozilla.org/mozilla-central/source/mobile/android/config/mozconfigs/common#60

[3] https://tools.taskcluster.net/secrets/
Flags: needinfo?(catlee)
> The approach used by the adjust SDK may be appropriate for Try? Have a dummy
> token in-tree that you can use in the absence of one of the real tokens?

nechen: this works for Adjust because the dummy, in-tree token really works with the Adjust sandbox.  (At least, it did when I was testing.)  I'm okay with pushing a bogus default token in-tree (like we had before) if it's OK to have Leanplum enabled but totally broken in every local build.
Flags: needinfo?(cnevinchen)
Thanks for the help!
Please correct me if I'm wrong. That's my imagination:

Nightly 's       MOZ_ANDRORID_MMA build flat is true,  so the implementation is Leamplum. It has the real token
Local builds's   MOZ_ANDRORID_MMA build flat is false, so the implementation is Stumb   . It has the fake token

Shouldn't try build use the same setting as Nightly?

btw, using a wrong app_id / key in real Leamplum impl won't break anything. Leanplum just won't start.

Hi catlee
What is Level 1 SCM? Thanks!
Flags: needinfo?(nalexander)
Flags: needinfo?(cnevinchen)
Flags: needinfo?(catlee)
(In reply to Nick Alexander :nalexander from comment #34)
> > The approach used by the adjust SDK may be appropriate for Try? Have a dummy
> > token in-tree that you can use in the absence of one of the real tokens?
> 
> nechen: this works for Adjust because the dummy, in-tree token really works
> with the Adjust sandbox.  (At least, it did when I was testing.)  I'm okay
> with pushing a bogus default token in-tree (like we had before) if it's OK
> to have Leanplum enabled but totally broken in every local build.

Sorry I don't understand.
In local build, why Leanplum is enable? Do you mean it's enabled by default? Or enabled by dev's local mozconfig?
If it's enabled by developers's local mozconfig, it should be fine using a fake token. Leanplum won't crash if the token is fake when I were doing the development.
Thanks for your help!
Hi Chris. Thansk for the help!

Bug 1365089 is backed out for breaking Android L10n nightlies:

Error message is below:
https://hg.mozilla.org/mozilla-central/rev/1815768e6a1f7d9027c3c8400e324fc6dde70879

Push showing failures (previous merge had other bustage):
https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&revision=35099b4caec14bf0e3c5e3fed7a17dd3faf51dbe&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable
Failure log:
https://treeherder.mozilla.org/logviewer.html#?job_id=102597476&repo=mozilla-central
[task 2017-05-27T16:47:58.173109Z] 16:47:58     INFO -  checking for the
Leanplum SDK key... no
[task 2017-05-27T16:47:58.173507Z] 16:47:58     INFO -  ERROR:
'/builds/leanplum-sdk-nightly.token': No such file or directory.


May I know why? I thgought the issue in comment 30 only happens in try builds.
Please advise what I did wrong ?
Add NI
Flags: needinfo?(kmoir)
Flags: needinfo?(aobreja)
I answered that question at https://bugzilla.mozilla.org/show_bug.cgi?id=1365089#c48. The taskcluster secrets seem fine to me, the single locale repacks just their mozconfig adjusted to avoid the configure checks to the leanplum sdk, like we do for adjust already.
Flags: needinfo?(kmoir)
Flags: needinfo?(catlee)
Flags: needinfo?(aobreja)
Updated these secrets at nechen's request:
project/releng/gecko/build/level-3/leanplum-sdk-beta.token
project/releng/gecko/build/level-3/leanplum-sdk-nightly.token
project/releng/gecko/build/level-2/leanplum-sdk-beta.token
project/releng/gecko/build/level-2/leanplum-sdk-nightly.token
Flags: needinfo?(nalexander)
Attachment #8871305 - Flags: review?(catlee)
Hi Nevin, per our discussion offline, we will use separate keys for different channels
Flags: needinfo?(jcheng)
Hi Jean
Should we put Android in separate Leanplum team so that iOS and Android could have separate admin group in Leaplum bakcend? This will affect how we setup the token here.
Flags: needinfo?(jcollings)
(In reply to Wesley Huang [:wesley_huang] (EPM) (NI me) from comment #15)
> NI to Chris: 
> Hey, is it possible to assign someone from RelEng to support this urgent
> task? It's no ideally efficient for Fennec front-end developer to spend
> hours trying to handle by their own.
> 
> NI Mike Han as he's the major stakeholder. This is a potential risk factor.
Flags: needinfo?(mhan)
Whiteboard: [LP_M2]
Whiteboard: [LP_M2] → [LP_M1]
Product: Release Engineering → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: