Closed
Bug 1409353
Opened 7 years ago
Closed 7 years ago
Focus for Android: Notifications + Secrets Service Access
Categories
(Taskcluster :: General, enhancement)
Taskcluster
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sebastian, Assigned: dustin)
References
()
Details
We started to use taskcluster (via GitHub integration) for automating some of our recurring "Focus for Android" tasks (Builds, Tests, Screenshots).
I would like to start using the secrets service for storing the Adjust token we need for our builds. And in addition to that I want to look into using the Notifications Service for some tasks (e.g. "Screenshots are done!").
I think this would mean that I (mozilla-ldap/skaspari@mozilla.com) need to get the scope for getting/setting a secret:
- secrets:set:repo:github.com/mozilla-mobile/focus-android:*
- secrets:get:repo:github.com/mozilla-mobile/focus-android:*
And the repository would need the scopes for getting the secret as well as for using the notify service:
- secrets:get:repo:github.com/mozilla-mobile/focus-android:*
- queue:route:notify.email.*
- queue:route:notify.irc-channel.*
Is this correct and does this make sense?
For testing purposes it would be helpful to get the same scopes for my "playground" repo too:
https://github.com/pocmo/taskcluster-playground
|
Assignee | |
Comment 1•7 years ago
|
||
We can set that up, but I'd rather set it up for the focus project in general. So we can create a "project:focus". Is there an LDAP group or something of the sort which I should set up with administrative rights for the project? We'd like to avoid assigning scopes to specific people, preferring LDAP groups.
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → dustin
|
Reporter | |
Comment 2•7 years ago
|
||
I would also like to use the "hooks manager" to schedule some recurring tasks (not if/what roles are required).
|
|
Assignee | |
Comment 3•7 years ago
|
||
I created
https://tools.taskcluster.net/auth/roles/project-admin%3Afocus
assume:hook-id:project-focus/*
assume:project-admin:focus
assume:project:focus:*
auth:create-client:project/focus/*
auth:create-role:hook-id:project-focus/*
auth:create-role:project:focus:*
auth:delete-client:project/focus/*
auth:delete-role:hook-id:project-focus/*
auth:delete-role:project:focus:*
auth:disable-client:project/focus/*
auth:enable-client:project/focus/*
auth:reset-access-token:project/focus/*
auth:update-client:project/focus/*
auth:update-role:hook-id:project-focus/*
auth:update-role:project:focus:*
hooks:modify-hook:project-focus/*
hooks:trigger-hook:project-focus/*
index:insert-task:project.focus.*
project:focus:*
queue:get-artifact:project/focus/*
queue:route:index.project.focus.*
secrets:get:project/focus/*
secrets:set:project/focus/*
I've given you that role, and once the LDAP group is done I will associate it with that group. So that should get you access to hooks and secrets.
I created https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fmozilla-mobile%2F*
assume:project:taskcluster:mozilla-github-repository
notify:email:*
notify:irc-channel:*
notify:irc-user:*
queue:create-task:aws-provisioner-v1/github-worker
queue:create-task:aws-provisioner-v1/win2012r2
queue:route:garbage.*
queue:route:index.garbage.*
queue:route:notify.email.*
queue:route:notify.irc-channel.*
queue:route:notify.irc-user.*
queue:scheduler-id:taskcluster-github
which contains some basic, useful scopes including the notify scopes you mentioned.
As for giving scopes to a repo to access secrets, best practice is to grant secrets:get:.. for the *specific* secret you want, rather than *. This avoids creating a new secret and finding that something unexpected has access to it.
You'll also want to decide *what* within the repo has access. That comes down to deciding what role to assign it to:
repo:github.com/mozilla-mobile/focus-android:* -- everything
repo:github.com/mozilla-mobile/focus-android:pull-request -- PR's
repo:github.com/mozilla-mobile/focus-android:branch:* -- pushes to branches
repo:github.com/mozilla-mobile/focus-android:branch:master -- pushes to master
|
|
Reporter | |
Comment 4•7 years ago
|
||
Thank you!
> You'll also want to decide *what* within the repo has access. That comes
> down to deciding what role to assign it to:
>
> repo:github.com/mozilla-mobile/focus-android:* -- everything
> repo:github.com/mozilla-mobile/focus-android:pull-request -- PR's
> repo:github.com/mozilla-mobile/focus-android:branch:* -- pushes to branches
> repo:github.com/mozilla-mobile/focus-android:branch:master -- pushes to master
Is it also possible to define :release? The secret I want to add first is needed for a task that is triggered by a github release event.
Would I give access by defining this in the role manager?
|
|
Assignee | |
Comment 5•7 years ago
|
||
(In reply to Sebastian Kaspari (:sebastian) from comment #4)
> Is it also possible to define :release? The secret I want to add first is
> needed for a task that is triggered by a github release event.
Yes:
https://docs.taskcluster.net/reference/integrations/taskcluster-github/docs/taskcluster-yml-v0#roles
> Would I give access by defining this in the role manager?
Yes, and I added scopes to do that to https://tools.taskcluster.net/auth/roles/mozilla-user%3Askaspari%40mozilla.com (I had mistakenly misnamed this role; now fixed)
|
|
Reporter | |
Comment 6•7 years ago
|
||
We now have group: cn=focus_android_eng,ou=groups,dc=mozilla (bug 1409431)
|
|
Assignee | |
Comment 7•7 years ago
|
||
https://tools.taskcluster.net/auth/roles/mozilla-group%3Afocus_android_eng
and mozilla-user:skaspari@mozilla.com is deleted.
|
|
Assignee | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•