Closed Bug 1032657 Opened 10 years ago Closed 9 years ago

Remove permission checks for retriggering/cancelling jobs since LDAP handles permissions

Categories

(Tree Management :: Treeherder, defect, P2)

Product:
Tree Management
Component:
Treeherder
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: philor, Unassigned)

References

Details

Complimentary to, but not the same as, bug 1032152.

tbpl intentionally allows anyone with a browser to star, but also intentionally passes the decision about who can retrigger jobs through the releng's decision based on LDAP. The worst that can happen with starring is that someone spams every suggested bug for each failure with one bug comment, which isn't particularly bad given that almost everyone thinks all tbplbot bug comments are spam anyway; the worst that can happen with retriggering is costing MoCo hundreds of dollars in cash paid to Amazon, and closing every tree for hours by tying up entire slave pools.

If we allow everyone to annotate on treeherder, we absolutely cannot and must not allow everyone to retrigger.

Whether or not we allow everyone to annotate, everyone who gets level-1 access to push to try also, immediately and without asking for anything additional, gets permission to use self-serve directly to retrigger, and should also get permission to use the easier retriggering of treeherder. And in reverse, anyone who gets their access revoked (which may or may not have ever happened in anger, dunno) immediately loses the right to use self-serve, and shouldn't still have the right to retrigger through treeherder.

Retriggering from the browser directly to self-serve, bypassing treeherder permissions entirely, gives exactly the ACL retriggering should have; any attempt to pass through treeherder permissions can at best only give exactly the ACL that was in effect at some time, since even if someone finds out whether self-serve currently requires only the existence of an LDAP account or requires some bit set on it, that doesn't mean that someone changing the requirement for self-serve will remember that treeherder has a shadow system that needs to also change.
Blocks: treeherder-sheriff-transition
Priority: -- → P1
Summary: Uncouple comment permission from retrigger permission, pass retrigger permission through to self-serve's decision → Remove permission checks for retriggering/cancelling jobs since LDAP handles permissions
Priority: P1 → P2
(In reply to Phil Ringnalda (:philor) from comment #0)
> If we allow everyone to annotate on treeherder, we absolutely cannot and
> must not allow everyone to retrigger.

Treeherder still uses self-serve from the client, so isn't different from TBPL in this respect - so we can just drop the permission check entirely, since the LDAP auth will handle it.
You are able to retrigger without logging in to Treeherder.  There are no permission checks in treeherder for this.  So it should be the same workflow as TBPL (asks for LDAP login in door-hanger on retrigger).

I'm going to close this as WFM.  But if there's a workflow that is not allowing you to retrigger when logged out, please reopen and write out the steps.  We'll fix it.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
STR:
1. Don't be logged in (e.g. use a private browsing window)
2. Go to a specific revision (e.g. https://treeherder.mozilla.org/#/jobs?repo=try&revision=bf35ede05d70 )
3. Click a job
4. Click the circle-arrow ("Retrigger this job")
5. Salmon-colored "Must be logged in to retrigger a job" message shows up in the top-right corner
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Please file new bugs when the original bug was correct at time of closing, the symptoms and reasons have changed since then.

In this case this new behaviour is expected for now, see https://bugzilla.mozilla.org/show_bug.cgi?id=1138248#c4
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.