Closed
Bug 1471987
Opened 6 years ago
Closed 6 years ago
assign tooltool/mapper/tokens releng scopes to ldap groups
Categories
(Taskcluster :: Operations and Service Requests, task)
Taskcluster
Operations and Service Requests
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: garbas, Unassigned)
References
Details
Attachments
(1 file, 1 obsolete file)
1. mozilla-group:active_scm_level_1 - project:releng:services/releng_tooltool/download/public - project:releng:services/releng_tokens/usr/view/my - project:releng:services/releng_tokens/usr/issue - project:releng:services/releng_tokens/usr/revoke/my - project:releng:services/releng_tokens/tmp/issue 2. mozilla-group:team_moco - project:releng:services/releng_tooltool/download/internal - project:releng:services/releng_tooltool/download/public - project:releng:services/releng_tokens/usr/view/my - project:releng:services/releng_tokens/usr/issue - project:releng:services/releng_tokens/usr/revoke/my - project:releng:services/releng_tokens/tmp/issue 3. mozilla-group:vpn_tooltooleditor - project:releng:services/releng_tooltool/upload/internal - project:releng:services/releng_tooltool/upload/public - project:releng:services/releng_tokens/usr/view/my - project:releng:services/releng_tokens/usr/issue - project:releng:services/releng_tokens/usr/revoke/my - project:releng:services/releng_tokens/tmp/issue
Comment 1•6 years ago
|
||
Hi Rok, Firstly apologies this has sat here unanswered for 27 days - this seems to have slipped through the net. Regarding your requested change, it looks like adding an intermediary role might help here: role "project:releng:services/releng_tokens/<something>" with scopes: - project:releng:services/releng_tokens/usr/view/my - project:releng:services/releng_tokens/usr/issue - project:releng:services/releng_tokens/usr/revoke/my - project:releng:services/releng_tokens/tmp/issue Please have a think about what "<something>" should be. Then we could add the following scopes to the existing roles: To role "mozilla-group:active_scm_level_1", we would add scopes: - project:releng:services/releng_tooltool/download/public - assume:project:releng:services/releng_tokens/<something> To role "mozilla-group:team_moco", we would add scopes: - project:releng:services/releng_tooltool/download/internal - project:releng:services/releng_tooltool/download/public - assume:project:releng:services/releng_tokens/<something> To role "mozilla-group:vpn_tooltooleditor", we would add scopes: - project:releng:services/releng_tooltool/upload/internal - project:releng:services/releng_tooltool/upload/public - assume:project:releng:services/releng_tokens/<something> Dustin, two review requests! 1) r? to the above 2) r? to adding auth:update-role:mozilla-group:* to role mozilla-group:releng (note, mozilla-group:releng already includes auth:update-role:moz-tree:*) Rok, assuming r+ for 2) you should be able to make changes like these directly in future.
Flags: needinfo?(dustin)
Comment 2•6 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #1) > Please have a think about what "<something>" should be.
Flags: needinfo?(rgarbas)
Comment 3•6 years ago
|
||
Both sound good. I'm working on support in bug 1465842 for doing things like (1) using ci-admin, but for the moment this sounds fine.
Flags: needinfo?(dustin)
Reporter | ||
Comment 4•6 years ago
|
||
<something> = general-issue-tokens-role skip "-role" if you think this is redundant here :dustin :pete thank you!
Flags: needinfo?(rgarbas)
Comment 5•6 years ago
|
||
Dustin, looking at mozilla-group:active_scm_level_* scopes, I wonder if it would be simpler for us to do the following: First include a role which is assumed by level 1, so that releng can maintain a role without needing to make changes to ci-admin, for additional static scopes that all scm level 1 should have: role "mozilla-group:active_scm_all" with scopes: * "project:releng:services/releng_tooltool/download/public" * "assume:project:releng:services/releng_tokens/general-issue-tokens" Then in ci-admin, we could have: role "mozilla-group:active_scm_level_1" includes "assume:mozilla-group:active_scm_all" role "mozilla-group:active_scm_level_2" includes "assume:mozilla-group:active_scm_level_1" role "mozilla-group:active_scm_level_3" includes "assume:mozilla-group:active_scm_level_2" It seems a reasonable assumption that role for scm level n+1 will always be a superset of scopes in role for scm level n (i.e. that increasing scm level never removes any scopes). I'm not sure if this is more confusing or less confusing overall - I wanted to avoid hardcoding "project:releng:services/releng_tooltool/download/public" and "assume:project:releng:services/releng_tokens/general-issue-tokens" in ci-admin, but at the same time it could be confusing to have role "mozilla-group:active_scm_all" when anything in "mozilla-group:active_scm_level_1" is already available to all scm levels. Let me know what you think! The roles "mozilla-group:team_moco" and "mozilla-group:vpn_tooltooleditor" are currently not managed by ci-admin, so no issues with me updating those, but I'll wait on doing that until we decide how we're doing this part. Thanks!
Flags: needinfo?(dustin)
Comment 6•6 years ago
|
||
I don't want to add a role for an LDAP group that doesn't exist ("assume:mozilla-group:active_scm_all"). When groups are assigned, the admins add people to either group 1, group 1 and 2, or group 1, 2, and 3, so we already get that "inheritance" for free. However, to make the roles more obvious when inspecting roles, we typically grant the same scope to 1, 2, and 3, or to 2 and 3. Also, ci-admin/ci-configuration are designed precisely *for* hard-coding things like this, so that's a good place for them. That will be a lot easier after the grants work (bug 1465842) lands. That bug is also using a lot fewer "utility roles" -- they don't make things easier for the auth service (it expands them in-memory), and the grants are a different, more expressive way to describe scopes common to several roles. So, I think the right grants here would be - grant: - project:releng:services/releng_tokens/usr/view/my - project:releng:services/releng_tokens/usr/issue - project:releng:services/releng_tokens/usr/revoke/my - project:releng:services/releng_tokens/tmp/issue - project:releng:services/releng_tooltool/download/public to: groups: [active_scm_level_1, active_scm_level_2, active_scm_level_3, team_moco] - grant: - project:releng:services/releng_tooltool/download/internal - project:releng:services/releng_tooltool/download/public to: groups: [team_moco] - grant: - project:releng:services/releng_tooltool/upload/internal - project:releng:services/releng_tooltool/upload/public to: groups: [vpn_tooltooleditor] Having had a look at the implementation in bug 1465842, please feel free to implement the above by hand. Since I'll forget in the next two weeks, also please put a note in that bug pointing to the above or, if you do something different, to the grants that you decide to use, so that I can incorporate it into the patch set. Note, too, that you will need to add `assume:project:releng:ci-group:vpn_tooltooleditor to mozilla-group:vpn_tooltooleditor and similarly for team_moco.
Flags: needinfo?(dustin)
Comment 7•6 years ago
|
||
Hi Rok, See comment 6 - are you happy to make a patch for ci-admin[1] for this? There is a video walkthrough here[2] that should be useful. Thanks! -- [1] https://hg.mozilla.org/build/ci-admin [2] https://vreplay.mozilla.com/replay/showRecordingExternal.html?key=E7w1CDZmmHRMP4R
Flags: needinfo?(rgarbas)
Reporter | ||
Comment 8•6 years ago
|
||
:pmoore i will try to produce the patch. also the video you pointed i can no view. no flash and also vidyo replay addon doesn't work. anyway i will try to look at commit history how others did it.
Flags: needinfo?(rgarbas)
Reporter | ||
Comment 9•6 years ago
|
||
Reporter | ||
Comment 10•6 years ago
|
||
:pmoore this is what i was able to understand. also some names of scopes change meanwhile.
Flags: needinfo?(pmoore)
Comment 11•6 years ago
|
||
I've moved the review request to Tom, I think he understands this stuff better than me, and I think the intention is that RelEng become the new owners of role definitions. Many thanks!
Flags: needinfo?(pmoore) → needinfo?(mozilla)
Comment 12•6 years ago
|
||
:garbas, https://addons.mozilla.org/en-US/firefox/addon/vidyo-replay-download/ should be able to help with viewing the replay.
Comment 13•6 years ago
|
||
Comment on attachment 9011596 [details] Bug 1471987 - assign tooltool/mapper/tokens releng scopes to ldap groups r=pmoore Tom Prince [:tomprince] has approved the revision.
Attachment #9011596 -
Flags: review+
Comment 14•6 years ago
|
||
Comment on attachment 9011596 [details] Bug 1471987 - assign tooltool/mapper/tokens releng scopes to ldap groups r=pmoore Dustin J. Mitchell [:dustin] pronoun: he has approved the revision.
Attachment #9011596 -
Flags: review+
Updated•6 years ago
|
Flags: needinfo?(mozilla)
Comment 15•6 years ago
|
||
:garbas - Can you provide an update for this bug? Are you working on it? eta?
Flags: needinfo?(rgarbas)
Reporter | ||
Comment 16•6 years ago
|
||
:gbrown sorry i forgot to close this once I applied this patch
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(rgarbas)
Resolution: --- → FIXED
Assignee | ||
Updated•5 years ago
|
Component: Service Request → Operations and Service Requests
Reporter | ||
Comment 17•5 years ago
|
||
Bug 1557255 - new tooltool taskcluster scopes
Updated•5 years ago
|
Attachment #9070239 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•