Closed Bug 1484044 Opened 7 years ago Closed 7 years ago

Unable to administer tasks created via GitHub

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jugglinmike, Unassigned)

Details

After signing in to the TaskCluster web UI using the Auth0/GitHub flow, I am not able to perform privileged actions against tasks I created on GitHub.com. For example, here is the error I receive when attempting to cancel a task: > You are not authorized to perform the requested action. Please sign in and > try again, or verify your scopes in the Credentials Manager. > > You do not have sufficient scopes. You are missing the following scopes: > > { > "AnyOf": [ > "queue:cancel-task:taskcluster-github/KeoSQyMdTpm8ytZK5a2uKQ/eWMsnhWzQUqsEuZxs0OV0g", > { > "AllOf": [ > "queue:cancel-task", > "assume:scheduler-id:taskcluster-github/KeoSQyMdTpm8ytZK5a2uKQ" > ] > } > ] > } > > You have the scopes: > > [ > "assume:everybody", > "assume:login-identity:mozilla-auth0/github|677252|jugglinmike", > "assume:project:taskcluster:tutorial", > "auth:create-client:mozilla-auth0/github|677252|jugglinmike/*", > "auth:delete-client:mozilla-auth0/github|677252|jugglinmike/*", > "auth:reset-access-token:mozilla-auth0/github|677252|jugglinmike/*", > "auth:update-client:mozilla-auth0/github|677252|jugglinmike/*", > "queue:create-task:aws-provisioner-v1/tutorial", > "queue:get-artifact:login-identity/mozilla-auth0/github|677252|jugglinmike/*", > "queue:route:index.garbage.*", > "secrets:get:garbage/*", > "secrets:set:garbage/*" > ] > > This request requires you to satisfy this scope expression: > > { > "AnyOf": [ > "queue:cancel-task:taskcluster-github/KeoSQyMdTpm8ytZK5a2uKQ/eWMsnhWzQUqsEuZxs0OV0g", > { > "AllOf": [ > "queue:cancel-task", > "assume:scheduler-id:taskcluster-github/KeoSQyMdTpm8ytZK5a2uKQ" > ] > } > ] > }
Dustin, when you're back: What do you think about just giving everybody in with `login-identity:mozilla-auth0` `queue:cancel-task:taskcluster-github`? Or something along those lines?
Flags: needinfo?(dustin)
The idea that there is one and only one scope for all github-originated tasks is the big bug here. That's difficult to solve. So yes, comment 2 sounds like a good workaround.
Flags: needinfo?(dustin)
https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla-auth0%2Fad|Mozilla-LDAP|*
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Thanks, Brian! I'm still unable to administer tasks that I initiated via GitHub. When I opened a task in the web UI and selected "Actions" then "Retrigger Tasks", I received the following error report: > { > "AnyOf": [ > { > "AllOf": [ > "queue:scheduler-id:taskcluster-github", > { > "AnyOf": [ > "queue:create-task:highest:aws-provisioner-v1/github-worker", > "queue:create-task:very-high:aws-provisioner-v1/github-worker", > "queue:create-task:high:aws-provisioner-v1/github-worker", > "queue:create-task:medium:aws-provisioner-v1/github-worker", > "queue:create-task:low:aws-provisioner-v1/github-worker", > "queue:create-task:very-low:aws-provisioner-v1/github-worker", > "queue:create-task:lowest:aws-provisioner-v1/github-worker" > ] > } > ] > }, > { > "AnyOf": [ > "queue:create-task:aws-provisioner-v1/github-worker", > { > "AllOf": [ > "queue:define-task:aws-provisioner-v1/github-worker", > "queue:task-group-id:taskcluster-github/L1pM71_0TTWxqLRtBo4_wg", > "queue:schedule-task:taskcluster-github/L1pM71_0TTWxqLRtBo4_wg/dxnuStFNRqiVrfO4xse2nQ" > ] > } > ] > } > ] > } > > You have the scopes: > > [ > "assume:login-identity:mozilla-auth0/github|677252|jugglinmike", > "assume:project:taskcluster:tutorial", > "auth:create-client:mozilla-auth0/github|677252|jugglinmike/*", > "auth:delete-client:mozilla-auth0/github|677252|jugglinmike/*", > "auth:reset-access-token:mozilla-auth0/github|677252|jugglinmike/*", > "auth:update-client:mozilla-auth0/github|677252|jugglinmike/*", > "queue:create-task:aws-provisioner-v1/tutorial", > "queue:get-artifact:login-identity/mozilla-auth0/github|677252|jugglinmike/*", > "queue:route:index.garbage.*", > "secrets:get:garbage/*", > "secrets:set:garbage/*" > ] > > This request requires you to satisfy this scope expression: > > { > "AllOf": [ > { > "AnyOf": [ > { > "AllOf": [ > "queue:scheduler-id:taskcluster-github", > { > "AnyOf": [ > "queue:create-task:highest:aws-provisioner-v1/github-worker", > "queue:create-task:very-high:aws-provisioner-v1/github-worker", > "queue:create-task:high:aws-provisioner-v1/github-worker", > "queue:create-task:medium:aws-provisioner-v1/github-worker", > "queue:create-task:low:aws-provisioner-v1/github-worker", > "queue:create-task:very-low:aws-provisioner-v1/github-worker", > "queue:create-task:lowest:aws-provisioner-v1/github-worker" > ] > } > ] > }, > { > "AnyOf": [ > "queue:create-task:aws-provisioner-v1/github-worker", > { > "AllOf": [ > "queue:define-task:aws-provisioner-v1/github-worker", > "queue:task-group-id:taskcluster-github/L1pM71_0TTWxqLRtBo4_wg", > "queue:schedule-task:taskcluster-github/L1pM71_0TTWxqLRtBo4_wg/dxnuStFNRqiVrfO4xse2nQ" > ] > } > ] > } > ] > } > ] > }
Flags: needinfo?(bstack)
Ah, if you want to do that sort of thing, we'll need to get a tad bit more in-depth. Does your team have an ldap group or mozillians group you manage that we can assign roles to? If you have one (or go about creating one), we can give it permissions to administer that repository!
Flags: needinfo?(bstack)
We don't have one currently. I can ask a Mozillian on our team to create one, but I'd be concerned about maintenance since the team includes many people outside of Mozilla. Do you think it would be appropriate to extend TaskCluster to support integration with GitHub's role management system? I doubt this would be a quick fix, but I ask because I know from reading Dustin's blog (most recently: [1]) that "redeployability" is a goal. [1] http://code.v.igoro.us/posts/2018/05/shipped-and-hosted-software.html
This is definitely on our roadmap and actually I think we're going to start this year. It definitely won't be a quick fix though. You could consider making a mozillians team and just adding yourself for now? We try to avoid giving scopes directly to specific users.
> This is definitely on our roadmap and actually I think we're going to start > this year. It definitely won't be a quick fix though. That's great news! We can be patient :) > You could consider making a mozillians team and just adding yourself for now? Sure > We try to avoid giving scopes directly to specific users. That's a wise policy. A scope granted to me specifically wouldn't have helped my team, anyway.
Bug 1459157 created an LDAP group for web-platform-tests. For jobs running on wpt-docker-worker membership of this group should be enough to allow you to admin jobs. Jobs running against a fork of the repo use the generic github-worker and so handing out admin permissions there is harder (aiui). If you want to be added to the web-platform-tests LDAP group file a bug and I can vouch for you.
Component: Service Request → Operations and Service Requests
You need to log in before you can comment on or make changes to this bug.