Closed Bug 1406086 Opened 7 years ago Closed 7 years ago

Need permission to close trees for Softvision Sheriffing team

Categories

(Infrastructure & Operations :: Infrastructure: LDAP, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: LDAP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: henrietta_maior, Assigned: jabba, Mentored)

Details

Hi,

I'm part of SoftVision's Sheriffing team, and we would need the right permissions in order to close/change the status of the trees.

This is the list of LDAP users:
aciure@mozilla.com
acraciun@mozilla.com
aiakab@mozilla.com
apavel@mozilla.com
btara@mozilla.com
cbrindusan@mozilla.com
ccoroiu@mozilla.com
csabou@mozilla.com
dluca@mozilla.com
ebalazs@mozilla.com
hmaior@mozilla.com
nbeleuzu@mozilla.com
ncsoregi@mozilla.com
nerli@mozilla.com
rgurzau@mozilla.com
rhorotan@mozilla.com
shindli@mozilla.com
toros@mozilla.com

If needed, :coop or :RyanVM can vouch for us.

Thank you!
I'm pretty sure treestatus is leveraging TC credentials. cc-ing Greg to verify.

The next question is whether the ability to open/close scm level 3 trees is gated on scm level 3 access.
treestatus does leverage TC creds and scopes, the scopes are listed here and do not seem tree specific:

https://tools.taskcluster.net/auth/roles/project%3Areleng%3Atreestatus%2Fsheriff

Currently any ldap user with the group vpn_treestatus gets these scopes.  Is there harm in adding those users to that ldap group?
(In reply to Greg Arndt [:garndt] from comment #2)
> treestatus does leverage TC creds and scopes, the scopes are listed here and
> do not seem tree specific:
> 
> https://tools.taskcluster.net/auth/roles/
> project%3Areleng%3Atreestatus%2Fsheriff
> 
> Currently any ldap user with the group vpn_treestatus gets these scopes.  Is
> there harm in adding those users to that ldap group?

No harm AFAICT. In fact, it will let the SV sheriffs progress in their roles and help RyanVM/Aryx manage tree closures.

If we can get those scopes added for these users, that would be great.
Component: TreeStatus → Service Request
Product: Release Engineering → Taskcluster
QA Contact: catlee
Ideally in ldap these users are added to the vpn_treestatus group.  Is it possible you can have IT do that? I'm not sure of the process for getting people added to ldap groups and what other consequences there might be to having them in that group.
Or another LDAP group, yes -- we want to avoid assigning things to specific users in Taskcluster.
(In reply to Greg Arndt [:garndt] from comment #4)
> Ideally in ldap these users are added to the vpn_treestatus group.  Is it
> possible you can have IT do that? I'm not sure of the process for getting
> people added to ldap groups and what other consequences there might be to
> having them in that group.

OK, moving to the IT LDAP component. Thanks.

IT: can we have the list of users in comment #0 added to the vpn_treestatus group, please?
Assignee: nobody → infra
Component: Service Request → Infrastructure: LDAP
Product: Taskcluster → Infrastructure & Operations
QA Contact: jdow
(In reply to Greg Arndt [:garndt] from comment #4)
> Ideally in ldap these users are added to the vpn_treestatus group.  Is it
> possible you can have IT do that? I'm not sure of the process for getting
> people added to ldap groups and what other consequences there might be to
> having them in that group.

Jabba: is this possible?
Flags: needinfo?(jdow)
(In reply to Chris Cooper [:coop] from comment #7)
> (In reply to Greg Arndt [:garndt] from comment #4)
> > Ideally in ldap these users are added to the vpn_treestatus group.  Is it
> > possible you can have IT do that? I'm not sure of the process for getting
> > people added to ldap groups and what other consequences there might be to
> > having them in that group.
> 
> Jabba: is this possible?

While we're in LDAP permissions land, the SV sheriffs also need to land merges and backouts directly onto the autoland branch, which regular level 3 scm users cannot do. glob informs me this is controlled by the "scm_autoland" group in LDAP.

To recap, the SV sherrifs listed in comment #0 need to be added to the following LDAP groups:

* vpn_treestatus
* scm_autoland

Thanks.
Will these sheriffs also be responsible for scheduling new jobs on central either through "add new jobs", backfill, or retriggers? If so, we should discuss how that will be handled since those are gated on l3 scopes too.
(In reply to Greg Arndt [:garndt] from comment #9)
> Will these sheriffs also be responsible for scheduling new jobs on central
> either through "add new jobs", backfill, or retriggers? If so, we should
> discuss how that will be handled since those are gated on l3 scopes too.

I believe we wanted to setup a *new* LDAP group for this, maybe something like "vpn_backfill."

I don't think we need to gate this bug on it though. The SV sheriffs will need level 3 access regardless, and the first among them has already earned it.
I've added all the users in comment 0 to scm_autoland and vpn_treestatus.
Assignee: infra → jdow
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdow)
Resolution: --- → FIXED
Thanks :jabba! 
I can confirm that now I have permission to close the trees.
You need to log in before you can comment on or make changes to this bug.