Give Taskcluster backfill scopes to more people than just those with push permissions

RESOLVED FIXED

Status

enhancement
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: jmaher, Assigned: dustin)

Tracking

Details

Attachments

(1 attachment)

yesterday Geoff was not able to use the backfill feature on treeherder, please add him and confirm the group membership
Backfill isn't restricted to sherrifs from what I can tell from code inspection -- could you provide specific STR? (There are several similar named features and also behaviour differs depending on buildbot vs taskcluster, try vs non-try and so on).
Flags: needinfo?(gbrown)
As I understand it, the issue is backfill on the autoland repo specifically. 

I chatted with :dustin and :bstack on #taskcluster yesterday. I can backfill on inbound, for instance, without trouble. On autoland, my backfill requests fail with a really long taskcluster error message that starts "Taskcluster: You do not have sufficient scopes. This request requires you to have one of the following sets of scopes..."

As I understand it, only people who can push to autoland can backfill on autoland, and we want to keep autoland push permissions restricted to a small group (seems reasonable to me!).

Suggested workaround was to ping a sheriff to do backfills for me. Sheriffs are generally good natured about it, but I wanted 4 backfills yesterday (triaging neglected oranges for the Stockwell project).
Flags: needinfo?(gbrown)
Ah ok so this is to do with Taskcluster scopes (which are likely derived from LDAP groups).
This isn't something the Treeherder team has the ability to manage - moving to a Taskcluster component :-)
Component: Treeherder → General
Product: Tree Management → Taskcluster
Version: --- → unspecified
Reporter

Comment 4

2 years ago
If we have SETA enabled on Autoland, then :gbrown, :rwood, :jmaher, :igoldan should have access to backfill, add new jobs, retrigger.
To revise comment 3 slightly now that I've re-read comment 2:

It looks like you need the current behaviour of "only those who can push to a repo can backfill it" to change to a larger set of people. For autoland this is likely fine, but I'm guessing for mozilla-central or say aurora/beta/release this has security implications.

Dustin/Brian will likely be the best to advise as to what changes are possible/make the most sense.
Flags: needinfo?(dustin)
Flags: needinfo?(bstack)
Summary: ensure that gbrown is in the treeherder sheriffs group → Give Taskcluster backfill scopes to more people than just those with push permissions
Right, the issue here is that only a small group of people can push to autoland.  Granting permission to retrigger means granting permission to run all tasks on that tree -- and I'm not sure we want to do that, or we would just have autoland listed as a level-3 repo like all the rest (it has its own scm LDAP group right now, scm_autoland).

So options are:
 - adding the folks joel listed to scm_autoland
 - making autoland just like any other level-3 repo (scm_level_3)
 - special-casing permission for the folks joel listed to create autoland builds using TC roles
 - special-casing permission for people with scm_level_3 to create autoland builds

I'm not even sure who to ask, but maybe gps is the right person?
Flags: needinfo?(gps)
Flags: needinfo?(dustin)
Flags: needinfo?(bstack)
Reporter

Comment 7

2 years ago
or another option is to run all builds/tests all the time (i.e. no SETA, no 'when' clauses for builds/tests)
(In reply to Dustin J. Mitchell [:dustin] from comment #6)
> Right, the issue here is that only a small group of people can push to
> autoland.  Granting permission to retrigger means granting permission to run
> all tasks on that tree

Let's verify a detail here...

It seems to me that retrigger, backfill, and "add new jobs" should all be subject to the same permissions. I can retrigger tests on autoland but I cannot backfill or "add new jobs".
They should be, within the context of TaskCluster.  I suspect you can add new BB jobs though.
We want to restrict the people who can *push* to autoland. I don't think we want to restrict the people who can do useful things with tasks on autoland.

I think we should allow scm_level_3 users to manipulate tasks on the autoland repo, just like they can with inbound, central, etc.
Flags: needinfo?(gps)
(In reply to Dustin J. Mitchell [:dustin] from comment #9)
> They should be, within the context of TaskCluster.  I suspect you can add new BB jobs though.

I just retriggered a Linux mochitest and it worked fine: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=167ed7d3545b6b8ff0c8fee6593a505bd181b08b&filter-searchStr=linux64%20tc-M(c1)

It seems like something is not as strictly enforced as expected.
(In reply to Gregory Szorc [:gps] from comment #10)
> We want to restrict the people who can *push* to autoland. I don't think we
> want to restrict the people who can do useful things with tasks on autoland.

Thanks gps - I like the way you said that.
Retriggering is still handled by mozilla-taskcluster which is deputized with powerful scopes that you use to retrigger. Eventually that will stop working as well and be moved to just hitting the tc api directly from treeherder.
Thanks Brian, that was going to take me a while to figure out :)
Assignee: nobody → dustin
Comment hidden (mozreview-request)
OK, fixed manually in
  https://tools.taskcluster.net/auth/roles/#mozilla-group:scm_level_3
and a PR and a review request made to update the automation to keep it that way.

Comment 17

2 years ago
mozreview-review
Comment on attachment 8854591 [details]
Bug 1352419: label autoland as an L3 repo;

https://reviewboard.mozilla.org/r/126546/#review129102
Attachment #8854591 - Flags: review?(bstack) → review+
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Verified I can backfill on autoland now - thanks!
You need to log in before you can comment on or make changes to this bug.