1487907 - lando can't be accessed without Mozilla LDAP

Status: RESOLVED WONTFIX

(Conduit :: Lando, defect)

Description

[(no longer active)]

I had a contributor trying to land a patch with Lando which failed with the following error:

"Unfortunately, you can only login to this website using Mozilla LDAP."

Comment 1

[Steven MacLeod [:smacleod]]

This is by design. At this time Lando requires membership in the ldap group required to push to a repository. Users may view the website without ldap, but must have ldap to request landings.

This will be revisited when we have proper policies and machine readable information around code ownership.

Comment 2

[(no longer active)]

Wow, OK...  I would have thought our commit access policy decided who is able to commit to our repositories.

Does this mean that any Mozilla employee can use Lando to land code irrespective of whether they have L3 access?

Comment 3

[Mark Côté [:mcote]]

No, it checks the appropriate scm group in LDAP.  In mozilla-central's case, this would be (I believe) scm_level_3.

Maybe I'm misunderstanding you, but these LDAP groups are, at the moment anyway, how we implement the Commit Access Policy.  Later, we'd like to get finer-grained by having Lando consult a machine-readable version of the module owner & peer definitions, but for now Lando enforces the same controls that hg.mozilla.org does, that is, by consulting LDAP groups.

Comment 4

[(no longer active)]

I see, thanks for the explanation!  I originally filed this bug based on an incorrect understanding of what had happened but it turns out the true problem was the L3 access of the contributor in comment 0 being deactivated for some reason, which matches perfectly with comment 3.  So WONTFIX sounds like the right fix here (or even INVALID but who cares!)