Closed Bug 1437562 Opened 6 years ago Closed 6 years ago

Mozilla-taskcluster should be issuing :push scopes, not :*

Categories

(Taskcluster :: Services, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

Details

Attachments

(2 files)

Mozilla-taskcluster is constructing scopes with

 let scope = 'assume:repo:' + repourl[1] + ':*';

which includes the nightly scopes.  By construction, that should be `.. + ":push"`, excluding the nightly scopes.
This was never the case.. even before we were pulling from production-branches.json, we were running with :*.  Which makes me think this was intended.

Per https://docs.taskcluster.net/manual/design/namespaces this should actually be `..:branch:default`, but the effect is the same
Attached file scopes.json
This is the set of scopes required for https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&selectedJob=161744445

I determined this by adding up all of the scopes the queue would require to call queue.createTask for each task in its task-graph.json.

The question is, does expandScopes(['assume:repo:hg.mozilla.org/mozilla-central:branch:default']) satisfy this scopeset?
>>> taskcluster.scopeMatch(expanded_scopes, [required_scopes])
True

So I'm cautiously optimistic that this will work and is the right thing to do.
landed..
Group: taskcluster-security
Failed with

Feb 12 18:44:01 mozilla-taskcluster app/worker.1: Error creating task f1O6Sp8ES8CmjAdBqCoBrA for project try, You do not have sufficient scopes. You are missing the following scopes: 
Feb 12 18:44:01 mozilla-taskcluster app/worker.1: assume:repo:hg.mozilla.org/try:*
Comment on attachment 8950319 [details]
Bug 1437562: only use ..:branch:default role, not :*;

https://reviewboard.mozilla.org/r/219562/#review225340
Attachment #8950319 - Flags: review?(bstack) → review+
Pushed by dmitchell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d58eb12ec21
only use ..:branch:default role, not :*; r=bstack
OK, that version stuck :)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
This caused problems for action tasks - bug 1437738.

The issue is that we have defined action tasks as being limited to the scopes possessed by the decision task.  In this bug, we limited the decision task's scopes.  Bug 1437738 was an easy fix, since it was just about the name of the role.

However, it also actually reduced the scopes available to action tasks, meaning that actions like https://tools.taskcluster.net/groups/UQjM8CY4Rlu5sqkUAndbIw/tasks/LRYAD2gKS1q-LokCCjp6rw/details now do not have the scopes they need to execute.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We agreed to try adding that single scope to the :* roles for now.  If that doesn't work, I will try to roll this back.
Bug 1437979 tracks removing that scope from moz-tree:level:3:gecko.
This fix seems to have been successful.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Pushed by mozilla@hocat.ca:
https://hg.mozilla.org/comm-central/rev/213368cb1707
Port 168e7da279d5 to comm-central: only use ..:branch:default role, not :*; r=me
Component: Integration → Services
You need to log in before you can comment on or make changes to this bug.