1184935 - Create read-only credentials for the Jenkins running the acceptance tests

Status: VERIFIED FIXED

(Taskcluster :: Operations and Service Requests, task)

Description

[Johan Lorenzo [:jlorenzo]]

For downloading images on the QA Jenkins, with these scripts, we need credentials that are allowed to download private builds (like [2]). 

[1] https://github.com/askeing/taskcluster-util-python
[2] https://tools.taskcluster.net/index/artifacts/#gecko.v1.mozilla-central.latest.linux.flame-kk-spark-eng/gecko.v1.mozilla-central.latest.linux.flame-kk-spark-eng.opt

Comment 1

[Johan Lorenzo [:jlorenzo]]

Based on bug 1179080, you seem the right person to ask a new key to, Jonas. If so, I can give my public GPG key to you.

Comment 2

[Jonas Finnemann Jensen (:jonasfj)]

So quick background info:
  TC creds:        clientId/accessToken always maps to a set of scopes.
  Scopes:          A scope is a string
  Satisfiability:  A scope X satisfies Y, if X == Y or X = Z"*" and Z is a prefix of Y.
                   Example: queue:get-artifact:* satisfies queue:get-artifact:private/build/* which in
                            turn satisfies queue:get-artifact:private/build/gaia.zip
-----------------
No scopes are required to lookup things in the index [1].
But scopes are required to download an artifact [2], unless the artifact is prefixed "public/".
Tip: index now has findArtifactFromTask [3] to do task lookup and redirect to artifact immediately.

For downloading the artifacts you probably want the scope:
  queue:get-artifact:private/build/*

That gives you the following scopes by implication:
  queue:get-artifact:private/build/b2g-android-arm.tar.gz
  queue:get-artifact:private/build/b2g-crashreporter-symbols.zip
  queue:get-artifact:private/build/flame-kk.zip
  queue:get-artifact:private/build/gaia.zip
  queue:get-artifact:private/build/sources.xml
But it will NOT give you:
  queue:get-artifact:private/other-build/something.zip

Would that work for you? If so drop me a link to your GPG key :)

---
[1] http://docs.taskcluster.net/services/index/#findTask
[2] http://docs.taskcluster.net/queue/api-docs/#getLatestArtifact
[3] http://docs.taskcluster.net/services/index/#findArtifactFromTask

Comment 3

[Jonas Finnemann Jensen (:jonasfj)]

Oh, also in the app where we manage credentials they all have a cute little name.
Like my perma credentials are called "jonasfj", the ones used by buildbot bridge is called "buildbot-bridge", what should we call yours?

Is it like gaia-qa-jenkins or b2g-qe-jenkins.
Also there is room for a small description of the credentials, if you have two lines I can add briefly explaining where the service lives, what it does, who owns it, point of contact, etc.
That would be great.

I'm sure documentation like "name" and "description" is going to make an inevitable review of all credentials a lot easier... And stop us from accidentally deleting you credentials :)

Comment 4

[Johan Lorenzo [:jlorenzo]]

(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #2) 
> For downloading the artifacts you probably want the scope:
>   queue:get-artifact:private/build/*
> 
> Would that work for you? If so drop me a link to your GPG key :)

Yes, I think that'll be enough for just downloading the build artifacts. 

For the details:
* name: b2g-qa-jenkins.
* description: Makes QA's Jenkins being able to download Firefox OS builds. Owned by the Firefox OS QA team. Point of contact: Johan Lorenzo

Here's the link to my public key: https://goo.gl/EH4RZU

Thanks!

Comment 5

[Jonas Finnemann Jensen (:jonasfj)]

@jlorenzo,
I send you an encrypted email with the credentials, reopen if you have any problems with those.
They should work for downloading private artifacts.

Comment 6

[Johan Lorenzo [:jlorenzo]]

The credentials are able to download every file present at https://tools.taskcluster.net/index/artifacts/#gecko.v1.mozilla-central.latest.linux.flame-kk-spark-eng/gecko.v1.mozilla-central.latest.linux.flame-kk-spark-eng .

Thank you very much!