Closed
Bug 661629
Opened 13 years ago
Closed 13 years ago
LDAP Access for AutolandTools
Categories
(Infrastructure & Operations :: RelOps: General, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mjessome, Assigned: nmeyerhans)
References
Details
We need a way to check user access permissions (L1/L3) when autolanding patches with the autoland tools. See https://wiki.mozilla.org/BugzillaAutoLanding#Security Thanks
Updated•13 years ago
|
Assignee: server-ops-releng → ebalangue
Comment 2•13 years ago
|
||
I apologize but I'm not sure what needs done here. If someone could provide me with a scope of what needs done, I'll be more than happy to take care of it.
Reporter | ||
Comment 3•13 years ago
|
||
Sorry for being unclear. We are writing a set of tools that take flagged patches from bugzilla, autoland them to the try servers, and if all conditions met, to trunk. In order to ensure that the reviewers/committers actually have the required credentials to perform these actions, our tools need to be able to check whether a given user (or set of users) have the correct bits set on their accounts specifying that they do, in fact, have the correct commit access level.
Comment 4•13 years ago
|
||
rtucker: This is early days, we'll need to sit down with our LDAP guru (is that you?) and figure out how to implement this well.
Comment 5•13 years ago
|
||
zandr: I am not an LDAP guru, I do understand it pretty well, so perhaps I could help. justdave and cshields would be who I would probably consider to be our ldap gurus.
Comment 6•13 years ago
|
||
I'm moving this over to the server ops general queue for more LDAP discussion.
Assignee: server-ops-releng → server-ops
Component: Server Operations: RelEng → Server Operations
QA Contact: zandr → mrz
Updated•13 years ago
|
Group: infra
Reporter | ||
Comment 7•13 years ago
|
||
I have just talked to catlee a bit about our requirements for this. Since it seems that authentication & permissions are necessary in order to search LDAP, we are wondering what is the best method to give an application permissions to search without the need for a specific user's credentials? Is it possible to give the machine access permissions without the need for authentication, or would we need credentials for the application to authenticate itself on each search? Also, as mentioned before, the application is checking for user commit permissions -- How are these permission groups handled and stored on the Mozilla LDAP?
Component: Server Operations → Server Operations: RelEng
Updated•13 years ago
|
Assignee: server-ops → nmeyerhans
Updated•13 years ago
|
Group: infra
Assignee | ||
Comment 8•13 years ago
|
||
1. An ldap bind user is required. This will be a username/password pair that can authenticate to ldap and query it for group memberships for a given username. I'll create this user and communicate the details to Marc out-of-band. 2. Details about how vcs permissions: The ldap group you care about is cn=scm_level_1,ou=groups,dc=mozilla (and scm_level_2, etc). You should be able to check that a given user (identified by email address) is in this group.
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•13 years ago
|
||
Actually, if the machines where this service will run are already integrated into ldap, you should be able to query for group membership locally. For example, on the master hg hosts, I can run "groups nmeyerhans@mozilla.com" and get a list of the ldap groups of which I'm a member. If this works on your systems, you don't need to talk directly to ldap at all and don't need a bind user. If that works for you, it's a preferable solution from my point of view.
Comment 10•13 years ago
|
||
I don't think that will work because we need to query based on both ldap username and bugzilla username.
Assignee | ||
Comment 11•13 years ago
|
||
I'm not sure you'll be able to query based on bugzilla username. There's no mapping between bugzilla usernames and scm_level_* membership.
Reporter | ||
Comment 12•13 years ago
|
||
(In reply to comment #11) > I'm not sure you'll be able to query based on bugzilla username. There's no > mapping between bugzilla usernames and scm_level_* membership. I think what catlee meant to say was that we would search for the LDAP username by querying using the bugzilla_email field in the user's LDAP entry. This seems to be the only connection between a bugzilla and LDAP identities. AFAIK though, bugzilla_email is not a mandatory field in a user's LDAP account.
Status: ASSIGNED → NEW
Assignee | ||
Comment 13•13 years ago
|
||
I've created uid=autolanduser,ou=logins,dc=mozilla in ldap and communicated the password to Marc.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Component: Server Operations: RelEng → RelOps
Product: mozilla.org → Infrastructure & Operations
You need to log in
before you can comment on or make changes to this bug.
Description
•