Closed Bug 1286894 Opened 5 years ago Closed 3 years ago

Enable Treeherder to add new TC jobs for non try repositories

Categories

(Testing :: General, defect, P3)

Version 3
defect

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: martianwars, Unassigned, Mentored)

References

Details

This will be a follow up to Bug 1284911, once that's fixed.
Depends on: 1284911
This should be fairly straightforward to fix. Just remove the condition from https://github.com/mozilla/treeherder/blob/master/ui/js/models/resultsets_store.js#L330

However, an RRA is needed before this can proceed.
(In reply to Kalpesh Krishna [:martianwars] from comment #1)
> However, an RRA is needed before this can proceed.

Presuming "RRA" ([1]) wasn't a typo, then this needs blocking on the pulse actions side asap until that happens. A UI-only conditional isn't a security measure - people can submit arbitrary requests to the API regardless.

Armen, can you confirm either way?

[1] https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment
Flags: needinfo?(armenzg)
Yeah I completely agree with Ed. There should be a condition to block this on Pulse Actions. Should be a straightforward fix.
Filed bug 1288092 to follow up on it.
Flags: needinfo?(armenzg)
There's still a limitation in plce here: pulse_actions' scopes would prevent creation of an action task for any repo other than try (in particular, any non-level-1 repo)

https://tools.taskcluster.net/auth/clients/#project%252fateam%252fpulse_actions
    assume:repo:hg.mozilla.org/try:*
    auth:aws-s3:read-write:tc-gp-public-31d/ateam/pulse-action-dev/*
    queue:create-task:*
    queue:define-task:*
    scheduler:create-task-graph
    scheduler:extend-task-graph

but it would be good for pulse_actions to give a useful error back to the user rather than rely on the scopes to fail.
Ah so comment 1 really meant "an RRA is needed prior to adjusting the scopes being used by pulse_actions, which will be performed in a yet-to-be-filed bug that will be marked blocking this one" (or similar).

Glad to hear :-)
Fixed in the code as well in bug 1288092.
Duplicate of this bug: 1339631
this is broken and now that SETA is enabled we are looking to turn it off *again*.

Do we need to do work in treeherder to fix this?
Flags: needinfo?(emorley)
Unofortunately I have no idea how most of this implementation is meant to work, whether it's currently working or what next steps are. Armen would be the one to speak to.
Flags: needinfo?(emorley)
If I remember correctly, there was a UI check here to prevent non-try jobs from being added.  https://github.com/mozilla/treeherder/blob/master/ui/js/models/resultsets_store.js#L338. I don't quite remember if I'd added anything on the TaskCluster side.

Of course, I don't know how relevant this is now.
See Also: → 1343002
Priority: -- → P3
This was fixed a while ago.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.