1418492 - Commit Access (Level 3) for wptsync@mozilla.com - automated repository sync

Status: RESOLVED FIXED

(Infrastructure & Operations :: Infrastructure: LDAP, task)

Description

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

This is possibly not the right process for this kind of request, so I'm hoping you can direct me.

We're working on an automated service to sync between mozilla-central and the web-platform-tests repository on GitHub. (Bug 1364564) We're at the stage where we want to deploy a prototype that syncs just with https://hg.mozilla.org/projects/elm/

Hence, we'd like wptsync@mozilla.com to have Level 2 Commit Access so we can land commits on elm. 

(Once the system is production ready, we will request higher access for this account, but we're not at that point yet.)


Account info:

wptsync@mozilla.com
Mozilla web-platform-tests sync

Comment 1

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

Attachment: id_rsa_wptsync_mozilla.pub

Comment 2

[Ludovic Hirlimann [:Usul]]

(In reply to Maja Frydrychowicz (:maja_zf) from comment #0)

> wptsync@mozilla.com
> Mozilla web-platform-tests sync

I don't see this in LDAP, does it exist ?

Hwine and fubar did this in the past, no idea how they did asking them here so we know.

Comment 3

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

It doesn't exist in LDAP. Did you mean to n-i hwine?

Comment 4

[Ludovic Hirlimann [:Usul]]

(In reply to Maja Frydrychowicz (:maja_zf) from comment #3)
> It doesn't exist in LDAP. Did you mean to n-i hwine?

Yeah I usually just cc people on bug.
If that user doesn't exist then I'd rather have Jabba create the user with the proper bits

Comment 5

[hwine]

:maja_zf - any reason you don't just pull from the existing gecko-dev or gecko-projects?
Also, why wouldn't you use lando for this?

There are definite reasons why the existing sync is only one way. While that might be relaxed for the elm twig, I'm not sure it would ever be relaxed for mozilla-central. For sure, this would need a security review prior to going live at level 3, or any other write access to mozilla-central.


Before this account is created at level 2, we should have signoff from:
 - fubar (should this user, if created, have level 2 access, or just per repo access, as with vcs-sync)
 - gps (is there overlap with other similar projects like lando)

Comment 6

[James Graham [:jgraham]]

I think you misunderstood the nature of the project.

The project syncs commits in the testing/web-platform/tests directory with the https://github.com/w3c/web-platform-tests repository on GitHub. We are already running such a sync and have been for about two years, but it's only sesmi-automated (we sync things in batches). The new project is just a refinement of that so that we perform (from the point of view of m-c) the same process, but much more frequently.

I don't understand how the gecko-dev repository is related here.

If we can push to Lando without L3 access that would work, but the goal is to automate this, so if that would mean e.g. pushing to Phabricator and then manually pushing an approval button to make things happen, it wouldn't meet our requriements.

Comment 7

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

Yep, we certainly plan on going through a sec review. At this early stage, we've requested an RRA in Bug 1419058.

Comment 8

[hwine]

Okay - sounds like there's some confusion (on my part) about which repo is getting pushed to. That will get sorted in the RRA.

Given that, I've no concerns about level 2 access. My questions to :gps & :fubar are more about the final design, so dropping those need infos.

Comment 9

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

We've been testing the service with our own LDAP accounts, using temp repos where possible. Meanwhile an RRA report has been completed by hwine, and we're following-up on recommendations: e.g. the hg hook restricting directory access for wptsync@mozilla.com to testing/web-platform (Bug 1426201) is now deployed. So... I'm updating this request to be for L3 access for use in production.

Hal, any objections? Do we need to loop in any else to have the L3 commmit access approved? Thanks!

Comment 10

[hwine]

(In reply to Maja Frydrychowicz (:maja_zf) from comment #9)
> Hal, any objections? 

I need to double check with gps on how this works. I had been under the assumption that the work in bug 1426201 would allow commit to that subtree for the wptsync user without requiring L3 access. I'll update the discussion in bug 1426201.

Comment 11

[James Graham [:jgraham]]

The RRA for the service is now complete, and the hook is in place to restrict the commit subtree. What's the next step to getting this resolved?

Comment 12

[hwine]

and the mercurial hook is even deployed to production!

Looks good to me
:jabba - this is ready to be processed.

Comment 13

[Justin Dow [:jabba]]

I've created the account, attached the ssh key that is attached to this bug and added the user to scm_level_3. Is this correct? If so, then this should be good to go.

Comment 14

[Maja Frydrychowicz :impossibus (was :maja_zf) (needinfo me)]

scm level 3 confirmed on my end -- it works! Thanks!

jdow: How do we go about changing the ssh key in the future? With an individual LDAP account, I'd do that at login.mozilla.com... but in this case?

Comment 15

[Justin Dow [:jabba]]

(In reply to Maja Frydrychowicz (:maja_zf) from comment #14)
> scm level 3 confirmed on my end -- it works! Thanks!
> 
> jdow: How do we go about changing the ssh key in the future? With an
> individual LDAP account, I'd do that at login.mozilla.com... but in this
> case?

These will need to be handled via bugzilla (i.e. I or another LDAP admin have to do the changes).