Closed Bug 1269443 Opened 3 years ago Closed 3 years ago

Use auth.expandScopes before checking scope satisfaction

Categories

(Taskcluster :: Workers, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED
mozilla53

People

(Reporter: dustin, Assigned: dustin)

Details

(Whiteboard: [docker-worker])

Attachments

(1 file)

A task with

 scopes: [
    'assume:repo:hg.mozilla.org/try/*'
 ],
 payload: {
   caches: {
     'level-1-try-tc-vcs-public-sources': '/home/worker-tc-vcs'
   }
 }

fails to start, I think because docker-worker is doing a local check for scope satisfaction that does not expand the role.
Whiteboard: [docker-worker]
Component: Docker-Worker → Worker
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → dustin
Hm, PR230 appears not to do the necessary:

[taskcluster:error] Docker configuration could not be created.  This may indicate an authentication error when validating scopes necessary for running the task.
 Error: Insufficient scopes to attach cache volumes.  The task must have scope `docker-worker:cache:<cache-name>` for each cache in `payload.caches`.
[taskcluster 2016-09-27 16:01:59.026Z] Unsuccessful task run with exit code: -1 completed in 1.021 seconds 

https://tools.taskcluster.net/task-inspector/#LlsW59VNQBShyXqQtofuuA/0

the try repo role has `docker-worker:cache:level-1-*`.
Comment on attachment 8795345 [details]
Bug 1269443: remove now-unnecessary scopes;

https://reviewboard.mozilla.org/r/81420/#review80070
Attachment #8795345 - Flags: review-
Attachment #8795345 - Flags: review?(garndt)
OK, it's still broken :)
Ah!  PR230 appears not to have landed?  Maybe I was just testing it in the ami-test workerType at the time.  I know Greg's in the process of working on new deployments right now.  Can you slide this patch in and we'll see if it improves things?
Flags: needinfo?(garndt)
Greg, did this patch end up getting deployed?
There appeared to have been some issues with the original patch when I was deploying, and I have since reworked it and opened up a new PR. https://github.com/taskcluster/docker-worker/pull/259
Flags: needinfo?(garndt)
Assignee: dustin → garndt
From my testing, this is merged.  I'll remove the workaround in-tree.
Assignee: garndt → dustin
Attachment #8795345 - Flags: review- → review?(bstack)
Attachment #8795345 - Flags: review?(bstack) → review+
https://hg.mozilla.org/mozilla-central/rev/0ecee460f385
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Component: Worker → Workers
You need to log in before you can comment on or make changes to this bug.