Closed Bug 1471987 Opened 2 years ago Closed 1 year ago

assign tooltool/mapper/tokens releng scopes to ldap groups

Categories

(Taskcluster :: Operations and Service Requests, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: garbas, Unassigned)

References

Details

Attachments

(1 file, 1 obsolete file)

1. mozilla-group:active_scm_level_1
 - project:releng:services/releng_tooltool/download/public
 - project:releng:services/releng_tokens/usr/view/my
 - project:releng:services/releng_tokens/usr/issue
 - project:releng:services/releng_tokens/usr/revoke/my
 - project:releng:services/releng_tokens/tmp/issue


2. mozilla-group:team_moco
 - project:releng:services/releng_tooltool/download/internal
 - project:releng:services/releng_tooltool/download/public
 - project:releng:services/releng_tokens/usr/view/my
 - project:releng:services/releng_tokens/usr/issue
 - project:releng:services/releng_tokens/usr/revoke/my
 - project:releng:services/releng_tokens/tmp/issue


3. mozilla-group:vpn_tooltooleditor
 - project:releng:services/releng_tooltool/upload/internal
 - project:releng:services/releng_tooltool/upload/public
 - project:releng:services/releng_tokens/usr/view/my
 - project:releng:services/releng_tokens/usr/issue
 - project:releng:services/releng_tokens/usr/revoke/my
 - project:releng:services/releng_tokens/tmp/issue
Hi Rok,

Firstly apologies this has sat here unanswered for 27 days - this seems to have slipped through the net.

Regarding your requested change, it looks like adding an intermediary role might help here:

role "project:releng:services/releng_tokens/<something>" with scopes:
 - project:releng:services/releng_tokens/usr/view/my
 - project:releng:services/releng_tokens/usr/issue
 - project:releng:services/releng_tokens/usr/revoke/my
 - project:releng:services/releng_tokens/tmp/issue

Please have a think about what "<something>" should be.

Then we could add the following scopes to the existing roles:

To role "mozilla-group:active_scm_level_1", we would add scopes:
  - project:releng:services/releng_tooltool/download/public
  - assume:project:releng:services/releng_tokens/<something>

To role "mozilla-group:team_moco", we would add scopes:
 - project:releng:services/releng_tooltool/download/internal
 - project:releng:services/releng_tooltool/download/public
 - assume:project:releng:services/releng_tokens/<something>

To role "mozilla-group:vpn_tooltooleditor", we would add scopes:
 - project:releng:services/releng_tooltool/upload/internal
 - project:releng:services/releng_tooltool/upload/public
 - assume:project:releng:services/releng_tokens/<something>


Dustin, two review requests!

1) r? to the above
2) r? to adding auth:update-role:mozilla-group:* to role mozilla-group:releng
     (note, mozilla-group:releng already includes auth:update-role:moz-tree:*)

Rok, assuming r+ for 2) you should be able to make changes like these directly in future.
Flags: needinfo?(dustin)
(In reply to Pete Moore [:pmoore][:pete] from comment #1)
> Please have a think about what "<something>" should be.
Flags: needinfo?(rgarbas)
Both sound good.  I'm working on support in bug 1465842 for doing things like (1) using ci-admin, but for the moment this sounds fine.
Flags: needinfo?(dustin)
<something> = general-issue-tokens-role

skip "-role" if you think this is redundant here


:dustin :pete thank you!
Flags: needinfo?(rgarbas)
Dustin, looking at mozilla-group:active_scm_level_* scopes, I wonder if it would be simpler for us to do the following:


First include a role which is assumed by level 1, so that releng can maintain a role without needing to make changes to ci-admin, for additional static scopes that all scm level 1 should have:

role "mozilla-group:active_scm_all" with scopes:
  * "project:releng:services/releng_tooltool/download/public"
  * "assume:project:releng:services/releng_tokens/general-issue-tokens"

Then in ci-admin, we could have:

role "mozilla-group:active_scm_level_1" includes "assume:mozilla-group:active_scm_all"
role "mozilla-group:active_scm_level_2" includes "assume:mozilla-group:active_scm_level_1"
role "mozilla-group:active_scm_level_3" includes "assume:mozilla-group:active_scm_level_2"

It seems a reasonable assumption that role for scm level n+1 will always be a superset of scopes in role for scm level n (i.e. that increasing scm level never removes any scopes).

I'm not sure if this is more confusing or less confusing overall - I wanted to avoid hardcoding "project:releng:services/releng_tooltool/download/public" and "assume:project:releng:services/releng_tokens/general-issue-tokens" in ci-admin, but at the same time it could be confusing to have role "mozilla-group:active_scm_all" when anything in "mozilla-group:active_scm_level_1" is already available to all scm levels.

Let me know what you think!

The roles "mozilla-group:team_moco" and "mozilla-group:vpn_tooltooleditor" are currently not managed by ci-admin, so no issues with me updating those, but I'll wait on doing that until we decide how we're doing this part. Thanks!
Flags: needinfo?(dustin)
I don't want to add a role for an LDAP group that doesn't exist ("assume:mozilla-group:active_scm_all").

When groups are assigned, the admins add people to either group 1, group 1 and 2, or group 1, 2, and 3, so we already get that "inheritance" for free.  However, to make the roles more obvious when inspecting roles, we typically grant the same scope to 1, 2, and 3, or to 2 and 3.

Also, ci-admin/ci-configuration are designed precisely *for* hard-coding things like this, so that's a good place for them.  That will be a lot easier after the grants work (bug 1465842) lands.  That bug is also using a lot fewer "utility roles" -- they don't make things easier for the auth service (it expands them in-memory), and the grants are a different, more expressive way to describe scopes common to several roles.

So, I think the right grants here would be

- grant:
  - project:releng:services/releng_tokens/usr/view/my
  - project:releng:services/releng_tokens/usr/issue
  - project:releng:services/releng_tokens/usr/revoke/my
  - project:releng:services/releng_tokens/tmp/issue
  - project:releng:services/releng_tooltool/download/public
  to:
    groups: [active_scm_level_1, active_scm_level_2, active_scm_level_3, team_moco]

- grant:
  - project:releng:services/releng_tooltool/download/internal
  - project:releng:services/releng_tooltool/download/public
  to:
    groups: [team_moco]

- grant:
  - project:releng:services/releng_tooltool/upload/internal
  - project:releng:services/releng_tooltool/upload/public
  to:
    groups: [vpn_tooltooleditor]

Having had a look at the implementation in bug 1465842, please feel free to implement the above by hand.  Since I'll forget in the next two weeks, also please put a note in that bug pointing to the above or, if you do something different, to the grants that you decide to use, so that I can incorporate it into the patch set.

Note, too, that you will need to add `assume:project:releng:ci-group:vpn_tooltooleditor to mozilla-group:vpn_tooltooleditor and similarly for team_moco.
Flags: needinfo?(dustin)
Hi Rok,

See comment 6 - are you happy to make a patch for ci-admin[1] for this? There is a video walkthrough here[2] that should be useful.

Thanks!

--

[1] https://hg.mozilla.org/build/ci-admin
[2] https://vreplay.mozilla.com/replay/showRecordingExternal.html?key=E7w1CDZmmHRMP4R
Flags: needinfo?(rgarbas)
:pmoore i will try to produce the patch.

also the video you pointed i can no view. no flash and also vidyo replay addon doesn't work. anyway i will try to look at commit history how others did it.
Flags: needinfo?(rgarbas)
:pmoore this is what i was able to understand.

also some names of scopes change meanwhile.
Flags: needinfo?(pmoore)
I've moved the review request to Tom, I think he understands this stuff better than me, and I think the intention is that RelEng become the new owners of role definitions.

Many thanks!
Flags: needinfo?(pmoore) → needinfo?(mozilla)
:garbas, https://addons.mozilla.org/en-US/firefox/addon/vidyo-replay-download/ should be able to help with viewing the replay.
Comment on attachment 9011596 [details]
Bug 1471987 - assign tooltool/mapper/tokens releng scopes to ldap groups r=pmoore

Tom Prince [:tomprince] has approved the revision.
Attachment #9011596 - Flags: review+
Comment on attachment 9011596 [details]
Bug 1471987 - assign tooltool/mapper/tokens releng scopes to ldap groups r=pmoore

Dustin J. Mitchell [:dustin] pronoun: he has approved the revision.
Attachment #9011596 - Flags: review+
Flags: needinfo?(mozilla)
:garbas - Can you provide an update for this bug? Are you working on it? eta?
Flags: needinfo?(rgarbas)
:gbrown sorry i forgot to close this once I applied this patch
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(rgarbas)
Resolution: --- → FIXED
Component: Service Request → Operations and Service Requests

Bug 1557255 - new tooltool taskcluster scopes

Attachment #9070239 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.