Closed Bug 1218523 Opened 10 years ago Closed 10 years ago

Straighten out tc-github credentials

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

I see two clients for taskcluster-github: kd-b_FdrSJ-4Gr3FF4IOpA - ### Imported: github-taskcluster * O6yB_zofTjCAjPSu4iYKoA - ### Imported: taskcluster-github assume:client-id:O6yB_zofTjCAjPSu4iYKoA assume:worker-type:test/test assume:worker-id:test/test assume:scheduler-id:* scheduler:* docker-worker:* queue:* Which one is in use (so we can delete the other)? And can we trim down the scopes at all?
Flags: needinfo?(winter2718)
(In reply to Dustin J. Mitchell [:dustin] from comment #0) > I see two clients for taskcluster-github: > > kd-b_FdrSJ-4Gr3FF4IOpA - ### Imported: github-taskcluster > * > > O6yB_zofTjCAjPSu4iYKoA - ### Imported: taskcluster-github > assume:client-id:O6yB_zofTjCAjPSu4iYKoA > assume:worker-type:test/test > assume:worker-id:test/test > assume:scheduler-id:* > scheduler:* > docker-worker:* > queue:* > > Which one is in use (so we can delete the other)? And can we trim down the > scopes at all? The one with star scopes is definitely not one to have around. I'm using the second one. We can trim down the scopes, just keep in mind it that we'll also need to make changes to taskcluster-github's config parser: https://github.com/taskcluster/taskcluster-github/blob/master/lib/taskcluster-config.js#L36
Flags: needinfo?(winter2718)
OK, I disabled kd-b_FdrSJ-4Gr3FF4IOpA by resetting its accessKey. If nothing explodes, I'll delete the clientId and role soon. Left open for that purpose, and also to trim down scopes on O6yB_zofTjCAjPSu4iYKoA which as Morgan said is a little tricksy.
I needed to reset the access token and update heroku for gaia-taskcluster. Since about 4 hours ago, the fxos team has said no tests have been kicked off for pull requests. After looking into things, it appears around that same time gaia-taskcluster was reporting bad mac errors. I reset it, and for a recent PR I see a decision task. I am still unsure how gaia-taskcluster and autolander fit together, but it's clear that gaia-taskcluster plays some role in submitting decision tasks for gaia PRs
Ugh, sorry about that. Do you have a link to what went wrong, so I can use that to start figuring out how to reduce this to something less than `*`?
This was the earliest known event in papertrail: https://papertrailapp.com/systems/gaia-taskcluster/events?r=595642482579255297-595669888178368516 This was reported by stas on IRC when the lack of decision tasks for gaia was noticed: https://treeherder.mozilla.org/#/jobs?repo=gaia
OK, here's the proposal: - configure tc-github to attach `["assume:repo:github.com/$org/$repo:pull-request"]` to each task graph - attach some basic scopes to role "assume:repo:github.com/*": queue:create-task:aws-provisioner-v1/github-worker - change the tc-github clientId to have scheduler:create-task-graph assume:repo:github.com/* scheduler:route:taskcluster-github.* and call it good? If there are tasks out there with docker-worker routes, they will begin failing createTask, but most likely those routes aren't necessary anyway: docker:image:foo is only required if foo is a private image. And we probably don't get enough github pushes to justify using any caches. And they definitely shouldn't be using any of the balrog, releng, etc. proxies. So those .taskcluster.yml's will need to be edited to remove basically all of their scopes. Morgan, what do you think? If we want to be a little more analytical about this, if we can find a way to enumerate all or many tc-github task graphs, we could look at the scopes for those graphs and the constituent tasks and make a more informed decision about each one. I'm not sure that's worth the trouble, though.
Flags: needinfo?(winter2718)
(In reply to Dustin J. Mitchell [:dustin] from comment #6) > OK, here's the proposal: > > - configure tc-github to attach > `["assume:repo:github.com/$org/$repo:pull-request"]` to each task graph > - attach some basic scopes to role "assume:repo:github.com/*": > queue:create-task:aws-provisioner-v1/github-worker > - change the tc-github clientId to have > scheduler:create-task-graph > assume:repo:github.com/* > scheduler:route:taskcluster-github.* > > and call it good? If there are tasks out there with docker-worker routes, > they will begin failing createTask, but most likely those routes aren't > necessary anyway: docker:image:foo is only required if foo is a private > image. And we probably don't get enough github pushes to justify using any > caches. And they definitely shouldn't be using any of the balrog, releng, > etc. proxies. So those .taskcluster.yml's will need to be edited to remove > basically all of their scopes. > > Morgan, what do you think? If we want to be a little more analytical about > this, if we can find a way to enumerate all or many tc-github task graphs, > we could look at the scopes for those graphs and the constituent tasks and > make a more informed decision about each one. I'm not sure that's worth the > trouble, though. This looks good. Scopes are added by tc-github itself (user defined scopes are being overridden right now) so it will just mean submitting a quick easy patch to modify https://github.com/taskcluster/taskcluster-github/blob/master/lib/taskcluster-config.js#L36 :+1: Thanks for looking into this.
Flags: needinfo?(winter2718)
Morgan, can you deploy the pull req above if it looks OK to you?
Flags: needinfo?(winter2718)
(In reply to Dustin J. Mitchell [:dustin] from comment #9) > Morgan, can you deploy the pull req above if it looks OK to you? :+1: merged
Flags: needinfo?(winter2718)
OK, then, I'm cutting down the tc-github scopes to 'client-id:O6yB_zofTjCAjPSu4iYKoA': [ 'assume:scheduler-id:task-graph-scheduler/*', 'assume:repo:github.com/*', 'scheduler:create-task-graph', 'scheduler:route:taskcluster-github.*', ], (the scheduler-id role is required for scheduling tasks)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Component: Authentication → Services
You need to log in before you can comment on or make changes to this bug.