Closed Bug 1280327 Opened 5 years ago Closed 5 years ago

Cleanup: rename TaskCluster NSS entities (worker types, roles, scopes etc) to not include ttaubert in the name

Categories

(Taskcluster :: Services, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pmoore, Assigned: pmoore)

References

Details

Attachments

(1 file)

When setting up Windows worker type for NSS project, at first we envisioned that ttaubert would require a playground to work in, so created ttaubert specific names for e.g. worker type (ttaubert-win2012r2). There may also be references to ttaubert in github project names, taskcluster scopes/roles and maybe other entities too.

As it happened, ttaubert worked like a ninja and had his project running in production in 24 hours! So this was no doubt completely unnecessary. :p

Now this stuff is running in production we should carefully rename projects/entities etc to not refer to ttaubert directly, and also update at least https://docs.taskcluster.net/manual/devel/namespaces#projects (if not other places on this page) to officially define the NSS project.

We should also aim to use the same worker type for NSS as we use for Windows firefox desktop builds.

We should also consider setting up a role for NSS team and look via e.g. LDAP group mapping, or use another mechanism to manage access controls for people interacting with NSS tasks.

So this bug is about all the namespace cleanup and managing of proper access controls for the nss project, with a focus on Windows where I know I set up ttaubert specific names, but potentially for other platforms too if that has not been set up already.
You'll want to set up the proper mozilla-group:xxx with assume:project-admin:nss-nspr.  The project-admin class has a fixed set of scopes (in fact, this is enforced with taskcluster-admin).
Assignee: nobody → pmoore
Hey Dustin,

I've created a new worker type called nss-win2012r2 to replace ttaubert-win2012r2. I'd like to deprecate and then remove ttaubert-win2012r2.

I see that the admin role ("project-admin:nss-nspr") from your comment 1 has already been created:
  https://tools.taskcluster.net/auth/roles/#project-admin:nss-nspr

and also there is already a mozillians-group:nss-nspr role:
  https://tools.taskcluster.net/auth/roles/#mozillians-group:nss-nspr

Q1) Is the intention to manage access controls in mozillians rather than LDAP? Or should I also create mozilla-group:nss-nspr?
Q2) I see some references to "nss" (e.g. moz-tree:nss) whereas other references are to nss-nspr. What is the difference between nss and nss-nspr, and when should we use each respectively?
Q3) https://tools.taskcluster.net/auth/roles/#mozillians-group:nss-nspr grants queue:create-task:aws-provisioner-v1/hg-worker but https://tools.taskcluster.net/aws-provisioner/#hg-worker/view doesn't have a description so I'm not sure what this worker type is for. Do you know? Can this scope be removed?
Flags: needinfo?(dustin)
re: q2 & q3

I created moz-tree:nss when hooking up the nss repos for ttaubert and granting permissions.  this also included the hg-worker worker type to be similar to the one we have generically for github (he was migrating from github to hg for this project I think).  This was to keep it separate then the worker types that are clearly for gecko related builds for m-c/try/m-i/etc

I have updated the description and owner of that worker type to reflect this.
(In reply to Pete Moore [:pmoore][:pete] from comment #2)

> Q1) Is the intention to manage access controls in mozillians rather than
> LDAP? Or should I also create mozilla-group:nss-nspr?

Spoke to ttaubert and mozillians is the way to go.

> Q2) I see some references to "nss" (e.g. moz-tree:nss) whereas other
> references are to nss-nspr. What is the difference between nss and nss-nspr,
> and when should we use each respectively?

ttaubert advised that nss and nspr have separate hg repositories, but that nspr is relatively static, and that the treeherder nss jobs pull in both nss and nspr. In order to be consistent with project names, we decided to use the mozillians group "nss" rather than "nss-nspr" and this would affect roles/scopes too. However, ttaubert discovered the nss mozillians group already existed, so he has contacted the owner to see if its admin settings can be adapted to be suitable for this purpose.
Flags: needinfo?(dustin)
This also removes the "time /t" part of the commands since the new generic worker logs when it starts and completes each command.

See e.g. https://public-artifacts.taskcluster.net/qigTbjp1TmG9YIYCL2ovzw/0/public/logs/live_backing.log which is the output from a try push (although without the time /t removed).

The data at the top of the log can be customised via the worker type (so we can fix machine-setup.script to a given commit SHA rather than a branch by just updating the worker type definition, which I'll do after this).

Any questions, let me know! Thanks.

ttaubert - if you are happy with the patch, feel free to land it for me, but please leave the bug open for cleanup of getting rid of the old worker type etc and migrating from nss-nspr mozillian group to nss mozillian group, if we get the green light to do that.
Attachment #8770634 - Flags: review?(ttaubert)
Comment on attachment 8770634 [details] [diff] [review]
bug1280327_nss_v1.patch

Review of attachment 8770634 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Thanks!
Attachment #8770634 - Flags: review?(ttaubert) → review+
It seems to be working ok, but some try pushes will still be based on the old worker type, so I'll wait until end of next week before deleting the old worker type and entities....

I spotted an issue with the logs having incorrect indentation, but this turned out to be a problem with the log viewer rather than the log (bug 1286804).
* Deleted  worker type "ttaubert-win2012r2"
* Deleted role "worker-type:aws-provisioner-v1/ttaubert-win2012r2"
* Deleted scope "queue:create-task:aws-provisioner-v1/ttaubert-*" from role "mozilla-user:ttaubert@mozilla.com"
* Terminated stopped instance "ttaubert-win2012r2 base instance" i-002141fb072e3842b in us-east-1d
* Terminated stopped instance "ttaubert-win2012r2 base instance" i-0343917f32ed7b0be in us-west-1c
* Terminated stopped instance "ttaubert-win2012r2 base instance" i-04421848866d6da99 in us-west-2a
* Deregistered AMI "ttaubert-win2012r2 mozillabuild version bdr7VIICQXyCAxLag0xsWQ" ami-d050e8c7 in us-east-1
* Deregistered AMI "ttaubert-win2012r2 mozillabuild version bdr7VIICQXyCAxLag0xsWQ" ami-4c490e2c in us-west-1
* Deregistered AMI "ttaubert-win2012r2 mozillabuild version bdr7VIICQXyCAxLag0xsWQ" ami-bea263de in us-west-2
* Deleted snapshot snap-94dc0771 in us-east-1 (of instance i-002141fb072e3842b)
* Deleted snapshot snap-0a839633 in us-west-1 (of instance i-0343917f32ed7b0be)
* Deleted snapshot snap-ed63eab3 in us-west-2 (of instance i-04421848866d6da99)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
Component: Integration → Services
You need to log in before you can comment on or make changes to this bug.