The `vpn_treeherder` LDAP group is no longer needed (Treeherder has now moved to Heroku and the SCL3 parts have been decommissioned - bug 1308496), so at your convenience can be removed :-)
Hey Dustin-- Am I remembering correctly that we were using this group to determine that we are "treeherder" people that should have the sheriff scope? Or was that just initially, and now we don't need it?
vpn_treeherder means something very different, please let's use a different LDAP group for any future work (and document it- the current changes were made with no big comments as far as I can tell? :-( )
Sigh Swype, s/big/bug/
(When we do that we'll also likely want multiple groups, not just one treeherder group, and at that point can give them more appropriate names, that don't include the vpn_ prefix etc)
+1 to all that, and it's easy to switch things around in TC as that happens. But for the moment vpn_treeherder is translating to is_sheriff, so let's make the new groups before deleting the old :)
Nothing is using is_sheriff, and vpn_treeherder contains zero actual sheriffs, so I don't think we should do that.
You're right, I lied: https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_sheriff is using vpn_sheriff to give sheriff permissions. https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_treeherder gives admin privs over the treeherder app. Like I said, those are both really flexible so set up the LDAP groups in whatever fashion makes sense to you, and I can make the necessary TC role adjustments.
I've moved discussion of the sheriff group to bug 1273092 comment 1, and will add some more details to bug 1273034 about the reasoning for not switching the authorisation parts at the same time as authentication. For this bug (vpn_treeherder), it comes down to whether we delete+create new when it becomes time to do bug 1273092, or just re-purpose vpn_treeherder (by vetting the group membership and renaming to something without the vpn_ prefix). vpn_treeherder currently comprises of: $users = [ 'cdawson', 'emorley', 'jgraham', 'mdoglio', 'wlachance', ] Given this is accurate apart from mdoglio (who can be removed), repurposing vpn_treeherder is probably quickest, however the name choice will likely depend on the naming scheme used for the sheriff group, so it may just be best to wait until bug 1273092 anyway :-)
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1273092
You need to log in before you can comment on or make changes to this bug.