Closed Bug 1226018 Opened 9 years ago Closed 9 years ago

Modify BBB to look for scopes like `project:releng:buildbot-bridge:..`

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Unassigned)

References

Details

Attachments

(2 files)

add the new scope
50 bytes, text/x-github-pull-request
dustin
: review+
Details | Review
upgrade dev+prod buildbot bridge
930 bytes, patch
dustin
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
This puts `releng` nicely in the scope name so that it's easy to spot and anyone modifying scopes has a big red "THINK CAREFULLY ABOUT THIS" flag (just like IT won't touch anything with "releng" in the hostname.. good sides and bad sides to that..) It should be relatively simple to grant anything that currently has buildbot-bridge:foo the project:releng:buildbot-bridge:foo scope, then modify buildbot bridge to check for the latter, then remove the buidbot-bridge:foo scopes form task definitions, and once those tasks have completed, remove them from the roles.
Blocks: 1226240
Ben, is this something you could hack on at some point? It's not a huge change, I think.
Flags: needinfo?(bhearsum)
I'm pretty heads down in Balrog these days. If I'm understanding correctly this is s/buildbot-bridge:/releng:buildbot-bridge:/ (with an overlap period where both are valid for transitioning). If that's the case this should just be a simple tweak of https://github.com/mozilla/buildbot-bridge/blob/master/bbb/services.py#L385 and a few tests.
Flags: needinfo?(bhearsum)
Yes, that's right. Is there a new owner for BBB? I don't mind putting the patch up (sounds easy enough) but deploying, testing, and rolling back are a little out of my comfort zone. Would you be able to help with that?
I updated dev to use my not-yet-landed bbb patch and it's now broken, looping over a ton of tasks over and over. Probably due to the restart, not due to the changes, which are merely: diff --git a/bbb/services.py b/bbb/services.py index 5c9074e..67f58f6 100644 --- a/bbb/services.py +++ b/bbb/services.py @@ -384,17 +384,18 @@ class TCListener(ListenerService): def _isAuthorized(self, buildername, scopes): """Tests to see if the builder given is restricted, and if so, whether or not the scopes given are authorized to use it. Builders that do not match the overall restricted builder patterns do not require any scopes. Builders that do must have a buildbot-bridge:builder-name: scope that matches the builder name given.""" requiredscopes = [ - ["buildbot-bridge:builder-name:{}".format(buildername)] + ["buildbot-bridge:builder-name:{}".format(buildername)], + ["project:releng:buildbot-bridge:builder-name:{}".format(buildername)] ] for r in self.restricted_builders: # If the builder is restricted, check the scopes to see if they # are authorized to use it. if re.match(r, buildername): return scope_match(scopes, requiredscopes) # If the builder is unrestricted, no special scopes are required to diff --git a/bbb/test/test_services.py b/bbb/test/test_services.py
Turns out there was a bunch of old tasks in the dev db (as far back as october!). I removed those.
Alright, this worked fine in dev. I'll post the patch and get it landed to prod.
Attached file add the new scope
Attachment #8716404 - Flags: review?(dustin)
Attachment #8716404 - Flags: review?(dustin) → review+
Moving these both to 1.5.4, which is the same as 1.5.3 but with a packaging-only change included (https://github.com/mozilla/buildbot-bridge/pull/11).
Attachment #8717903 - Flags: review?(dustin)
Comment on attachment 8717903 [details] [diff] [review] upgrade dev+prod buildbot bridge btw, puppetagain is hooked up to mozreview if that's more convenient
Attachment #8717903 - Flags: review?(dustin) → review+
This looks to be working fine in production, I think it's safe to remove any references to the old scope in credentials now.
Done!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: