1336033 - Correct treestatus scopes dervived from vpn_sheriff and vpn_treestatus LDAP groups

Status: RESOLVED FIXED

(Taskcluster :: Operations and Service Requests, task)

Description

[Rok Garbas [:garbas]]

1. I would need to change the scope on role mozilla-group:vpn_sheriff
replace ``project:releng:treestatus/sheriff`` with ``project:releng:treestatus/``

2. I need to also create ``mozilla-group:vpn_treestatus`` with ``project:releng:treestatus/sheriff`` scope

Comment 1

[Rok Garbas [:garbas]]

Please ignore my comment and follow instructions in User Story.

Comment 2

[Jorg K (CEST = GMT+2)]

As discussed with Rok on IRC: This should give the TB/SM people
kent@caspia.com, clokep@patrick.cloke.us, aleth@instantbird.org, ewong@pw-wspx.org, mozilla@jorgk.com (and more?) from the vpn_treestatus group their rights back.

Comment 3

[Ed Morley [:emorley]]

Where did the original setup of scope take place? 

I'm struggling to find a papertrail of where review and sign-off of the new treestatus took place (especially for permissions parts).

It's just that the permissions were regressed once already when treestatus was moved into the releng system the first time (bug 1214391), and now we've had something similar again.

Comment 4

[Ed Morley [:emorley]]

(Adjusting summary to make this bug easier to find)

Comment 5

[Rok Garbas [:garbas]]

:emorley: The only one to blame for this is me. I poorly planned the credentials/auth migration. Now that I understand the RelengAPI/LDAP/... more I can make sure this doesn't happen in the future.

Actually, everything was planned I should just a request this change before I started the migration. Again, sorry for the disruption, I hope that I can make it up with a better UX/UI of TreeStatus.

Now that the east coast is up I am going to ping on #taskcluster to push on this.

Comment 6

[Ed Morley [:emorley]]

No problem - many thanks for your hard work getting it migrated, it's great to see Treestatus getting some long-overdue TLC :-)

Comment 7

[Pete Moore [:pmoore][:pete]]

https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_sheriff
https://tools.taskcluster.net/auth/roles/#mozilla-group:vpn_treestatus

(scopes also prefixed with `assume:`)

I can't provide guidance on whether these changes are appropriate/acceptable, but at least we have this bug trail. :-)

Comment 8

[Jorg K (CEST = GMT+2)]

Nice that you fixed the bug, but I still don't have access to change the tree status, for example for https://mozilla-releng.net/treestatus/show/comm-aurora-thunderbird. Apparently some "Update" button should be visible.

Comment 9

[Rok Garbas [:garbas]]

:Jorg K: are you logging via okta? or via Email?

Comment 10

[Patrick Cloke [:clokep]]

I can't speak for jorgk, but I logged in via okta and don't see any features to make modifications to the treestatus.

Comment 11

[Pete Moore [:pmoore][:pete]]

Jorg, Patrick,

Note, if you log in via okta, to use the LDAP address with the appropriate commit level access (which might not be a @mozill.com email address).

Comment 12

[Dustin J. Mitchell [:dustin] (he/him)]

Sorry folks -- there's a whitelist to which new groups need to be added.  I added vpn_treestatus to it just a few minutes ago, so please logout, log back in with Okta and your LDAP account, and you should be OK.  Sorry for the confusion :(

Comment 13

[Patrick Cloke [:clokep]]

dustin, that seems to have fixed it for me! Thanks.

Comment 14

[Jorg K (CEST = GMT+2)]

Logged in via Okta/LDAP. I get the "Update Tree" button now. Thanks.

Comment 15

[Jorg K (CEST = GMT+2)]

Hmm, another problem. In order to make the "Update" button at the bottom right active, you need to select a Status. Previously you could just change the Message of the Day without changing the Status. Can you restore the previous behaviour?

Comment 16

[Pete Moore [:pmoore][:pete]]

Jorg, can you create a separate bug for that?

Comment 17

[Jorg K (CEST = GMT+2)]

Done, bug 1336103.

Comment 18

[Pete Moore [:pmoore][:pete]]

Many thanks Jorg. :-)