1251338 - add e-mail notification when changes to rules or permissions are made

Status: RESOLVED FIXED

(Release Engineering Graveyard :: Applications: Balrog (backend), defect)

Description

[bhearsum@mozilla.com (:bhearsum)]

Julien tells me that part of the standard they're pushing for for CloudOps apps is that e-mail notification is sent when changes are made. I don't think this is practical for Balrog releases (we get changes to those in the order of 1000s per day), but it's probably viable for rules and permissions.

I'm thinking it's probably best to create a new mailing list for this and send them there - it's spammy and inappropriate for release-drivers, and I don't want to send it to release@, because that prevents others from opting in to them.

Comment 1

[bhearsum@mozilla.com (:bhearsum)]

Benson, is it fair to assume that a local sendmail will be available to the Balrog wsgi apps? Ie: can I simply call SMTP.sendmail() from within Balrog code?

Comment 2

[Benson Wong [:mostlygeek]]

Sending thousands a day? We should use SES with a validated email address and domain. Otherwise we'd risk getting blackholed or marked as spammers. Generally, arbitrary EC2 boxes sending thousands of emails isn't the right approach.

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Benson Wong [:mostlygeek] from comment #2)
> Sending thousands a day? We should use SES with a validated email address
> and domain. Otherwise we'd risk getting blackholed or marked as spammers.
> Generally, arbitrary EC2 boxes sending thousands of emails isn't the right
> approach.

Definitely not thousands. The vast majority of the changes are to Releases, which we're not planning to send mail about. Right now it looks like we average 10-15 changes to rules and permissions per day (I'm sure that will go up over time, but I don't forsee it hitting hundreds or thousands). If SES is still the right thing to use, do you need to create an access key for me?

Comment 4

[Benson Wong [:mostlygeek]]

That's pretty low volume. Let's try it with a local SMTP for now. Is this for the admin box?

Comment 5

[Julien Vehent]

Gmail will flag as spam anything that doesn't have the proper spf and dkim records. Going through SES is a much safer bet, given the sensitive nature of those notifications.

SES uses simple SMTP authentication, it should integrate easily with Python: http://stackoverflow.com/a/64890/1030499

Comment 6

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Benson Wong [:mostlygeek] from comment #4)
> That's pretty low volume. Let's try it with a local SMTP for now. Is this
> for the admin box?

Yeah, admin box only.

(In reply to Julien Vehent [:ulfr] from comment #5)
> Gmail will flag as spam anything that doesn't have the proper spf and dkim
> records. Going through SES is a much safer bet, given the sensitive nature
> of those notifications.
> 
> SES uses simple SMTP authentication, it should integrate easily with Python:
> http://stackoverflow.com/a/64890/1030499

Where do I get and/or generate the necessary credentials?

Comment 7

[bhearsum@mozilla.com (:bhearsum)]

Attachment: Send e-mail when changes are made to rules or permissions

Comment 8

[[github robot]]

Commit pushed to master at https://github.com/mozilla/balrog

https://github.com/mozilla/balrog/commit/4c64794e0038accb1c5ee0f33a20ef1047b69c0a
bug 1251338: Send e-mail when changes are made to rules or permissions. (#65) r=nthomas,ulfr

Comment 9

[bhearsum@mozilla.com (:bhearsum)]

This landed in production today (although is disabled while we're still on the WebOps cluster).

Comment 10

[bhearsum@mozilla.com (:bhearsum)]

We forgot to enable this when we migrated. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1304082 to get it enabled. We'll be sending production notifcations to balrog-db-changes@mozilla.com.