Closed
Bug 1406086
Opened 7 years ago
Closed 7 years ago
Need permission to close trees for Softvision Sheriffing team
Categories
(Infrastructure & Operations :: Infrastructure: LDAP, task)
Infrastructure & Operations
Infrastructure: LDAP
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: henrietta_maior, Assigned: jabba, Mentored)
Details
Hi, I'm part of SoftVision's Sheriffing team, and we would need the right permissions in order to close/change the status of the trees. This is the list of LDAP users: aciure@mozilla.com acraciun@mozilla.com aiakab@mozilla.com apavel@mozilla.com btara@mozilla.com cbrindusan@mozilla.com ccoroiu@mozilla.com csabou@mozilla.com dluca@mozilla.com ebalazs@mozilla.com hmaior@mozilla.com nbeleuzu@mozilla.com ncsoregi@mozilla.com nerli@mozilla.com rgurzau@mozilla.com rhorotan@mozilla.com shindli@mozilla.com toros@mozilla.com If needed, :coop or :RyanVM can vouch for us. Thank you!
Comment 1•7 years ago
|
||
I'm pretty sure treestatus is leveraging TC credentials. cc-ing Greg to verify. The next question is whether the ability to open/close scm level 3 trees is gated on scm level 3 access.
Comment 2•7 years ago
|
||
treestatus does leverage TC creds and scopes, the scopes are listed here and do not seem tree specific: https://tools.taskcluster.net/auth/roles/project%3Areleng%3Atreestatus%2Fsheriff Currently any ldap user with the group vpn_treestatus gets these scopes. Is there harm in adding those users to that ldap group?
Comment 3•7 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #2) > treestatus does leverage TC creds and scopes, the scopes are listed here and > do not seem tree specific: > > https://tools.taskcluster.net/auth/roles/ > project%3Areleng%3Atreestatus%2Fsheriff > > Currently any ldap user with the group vpn_treestatus gets these scopes. Is > there harm in adding those users to that ldap group? No harm AFAICT. In fact, it will let the SV sheriffs progress in their roles and help RyanVM/Aryx manage tree closures. If we can get those scopes added for these users, that would be great.
Component: TreeStatus → Service Request
Product: Release Engineering → Taskcluster
QA Contact: catlee
Comment 4•7 years ago
|
||
Ideally in ldap these users are added to the vpn_treestatus group. Is it possible you can have IT do that? I'm not sure of the process for getting people added to ldap groups and what other consequences there might be to having them in that group.
Comment 5•7 years ago
|
||
Or another LDAP group, yes -- we want to avoid assigning things to specific users in Taskcluster.
Comment 6•7 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #4) > Ideally in ldap these users are added to the vpn_treestatus group. Is it > possible you can have IT do that? I'm not sure of the process for getting > people added to ldap groups and what other consequences there might be to > having them in that group. OK, moving to the IT LDAP component. Thanks. IT: can we have the list of users in comment #0 added to the vpn_treestatus group, please?
Assignee: nobody → infra
Component: Service Request → Infrastructure: LDAP
Product: Taskcluster → Infrastructure & Operations
QA Contact: jdow
Comment 7•7 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #4) > Ideally in ldap these users are added to the vpn_treestatus group. Is it > possible you can have IT do that? I'm not sure of the process for getting > people added to ldap groups and what other consequences there might be to > having them in that group. Jabba: is this possible?
Flags: needinfo?(jdow)
Comment 8•7 years ago
|
||
(In reply to Chris Cooper [:coop] from comment #7) > (In reply to Greg Arndt [:garndt] from comment #4) > > Ideally in ldap these users are added to the vpn_treestatus group. Is it > > possible you can have IT do that? I'm not sure of the process for getting > > people added to ldap groups and what other consequences there might be to > > having them in that group. > > Jabba: is this possible? While we're in LDAP permissions land, the SV sheriffs also need to land merges and backouts directly onto the autoland branch, which regular level 3 scm users cannot do. glob informs me this is controlled by the "scm_autoland" group in LDAP. To recap, the SV sherrifs listed in comment #0 need to be added to the following LDAP groups: * vpn_treestatus * scm_autoland Thanks.
Comment 9•7 years ago
|
||
Will these sheriffs also be responsible for scheduling new jobs on central either through "add new jobs", backfill, or retriggers? If so, we should discuss how that will be handled since those are gated on l3 scopes too.
Comment 10•7 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #9) > Will these sheriffs also be responsible for scheduling new jobs on central > either through "add new jobs", backfill, or retriggers? If so, we should > discuss how that will be handled since those are gated on l3 scopes too. I believe we wanted to setup a *new* LDAP group for this, maybe something like "vpn_backfill." I don't think we need to gate this bug on it though. The SV sheriffs will need level 3 access regardless, and the first among them has already earned it.
Assignee | ||
Comment 11•7 years ago
|
||
I've added all the users in comment 0 to scm_autoland and vpn_treestatus.
Assignee: infra → jdow
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdow)
Resolution: --- → FIXED
Reporter | ||
Comment 12•7 years ago
|
||
Thanks :jabba! I can confirm that now I have permission to close the trees.
You need to log in
before you can comment on or make changes to this bug.
Description
•