Closed
Bug 1437562
Opened 6 years ago
Closed 6 years ago
Mozilla-taskcluster should be issuing :push scopes, not :*
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
Details
Attachments
(2 files)
Mozilla-taskcluster is constructing scopes with let scope = 'assume:repo:' + repourl[1] + ':*'; which includes the nightly scopes. By construction, that should be `.. + ":push"`, excluding the nightly scopes.
Assignee | ||
Comment 1•6 years ago
|
||
This was never the case.. even before we were pulling from production-branches.json, we were running with :*. Which makes me think this was intended. Per https://docs.taskcluster.net/manual/design/namespaces this should actually be `..:branch:default`, but the effect is the same
Assignee | ||
Comment 2•6 years ago
|
||
This is the set of scopes required for https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&selectedJob=161744445 I determined this by adding up all of the scopes the queue would require to call queue.createTask for each task in its task-graph.json. The question is, does expandScopes(['assume:repo:hg.mozilla.org/mozilla-central:branch:default']) satisfy this scopeset?
Assignee | ||
Comment 3•6 years ago
|
||
>>> taskcluster.scopeMatch(expanded_scopes, [required_scopes])
True
So I'm cautiously optimistic that this will work and is the right thing to do.
Assignee | ||
Comment 4•6 years ago
|
||
https://github.com/taskcluster/mozilla-taskcluster/pull/124
Assignee | ||
Comment 5•6 years ago
|
||
landed..
Assignee | ||
Updated•6 years ago
|
Group: taskcluster-security
Assignee | ||
Comment 6•6 years ago
|
||
Failed with Feb 12 18:44:01 mozilla-taskcluster app/worker.1: Error creating task f1O6Sp8ES8CmjAdBqCoBrA for project try, You do not have sufficient scopes. You are missing the following scopes: Feb 12 18:44:01 mozilla-taskcluster app/worker.1: assume:repo:hg.mozilla.org/try:*
Comment hidden (mozreview-request) |
Assignee | ||
Comment 8•6 years ago
|
||
https://github.com/taskcluster/mozilla-taskcluster/pull/125
Comment 9•6 years ago
|
||
mozreview-review |
Comment on attachment 8950319 [details] Bug 1437562: only use ..:branch:default role, not :*; https://reviewboard.mozilla.org/r/219562/#review225340
Attachment #8950319 -
Flags: review?(bstack) → review+
Comment 10•6 years ago
|
||
Pushed by dmitchell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4d58eb12ec21 only use ..:branch:default role, not :*; r=bstack
Assignee | ||
Comment 11•6 years ago
|
||
OK, that version stuck :)
Assignee | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4d58eb12ec21
Assignee | ||
Comment 13•6 years ago
|
||
This caused problems for action tasks - bug 1437738. The issue is that we have defined action tasks as being limited to the scopes possessed by the decision task. In this bug, we limited the decision task's scopes. Bug 1437738 was an easy fix, since it was just about the name of the role. However, it also actually reduced the scopes available to action tasks, meaning that actions like https://tools.taskcluster.net/groups/UQjM8CY4Rlu5sqkUAndbIw/tasks/LRYAD2gKS1q-LokCCjp6rw/details now do not have the scopes they need to execute.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 14•6 years ago
|
||
We agreed to try adding that single scope to the :* roles for now. If that doesn't work, I will try to roll this back.
Assignee | ||
Comment 15•6 years ago
|
||
Bug 1437979 tracks removing that scope from moz-tree:level:3:gecko.
Assignee | ||
Comment 16•6 years ago
|
||
This fix seems to have been successful.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Comment 17•6 years ago
|
||
Uplifted to beta, to keep cotv2 working on fx59: https://hg.mozilla.org/releases/mozilla-beta/rev/a79fca3eba79f8620b7b26ec58a4e4d5e659f732
Comment 18•6 years ago
|
||
Pushed by mozilla@hocat.ca: https://hg.mozilla.org/comm-central/rev/213368cb1707 Port 168e7da279d5 to comm-central: only use ..:branch:default role, not :*; r=me
Updated•5 years ago
|
Component: Integration → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•