Closed Bug 1579068 Opened 5 years ago Closed 5 years ago

Add scope secrets:set:project/bugzilla-management-dashboard/realOrg

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: calixte, Unassigned)

References

Details

In order to be able to modify secret for https://github.com/mozilla/bugzilla-dashboard, could you add scope secrets:set:project/bugzilla-management-dashboard/realOrg to group mozilla-group:vpn_releasemgt ?

Flags: needinfo?(jlorenzo)

I did the same thing as bug 1578440 comment 4 and created https://tools.taskcluster.net/auth/roles/project%3Arelman%3Abugzilla-dashboard%2Fadmins. Please let me know if it doesn't work!

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jlorenzo)
Resolution: --- → FIXED
See Also: → 1578440

I misread the request and it's actually not as similar as bug 1578440. Reopening the bug.

I chatted with Calixte, the secret is only used at [1]. Now Release Management owns this project. Therefore, Calixte created [2]. He'll change [1] to point to the new secret instead.

In the meantime, I removed the role I created in comment 1. There's no need for it at the moment.

Calixte, please ping me once the change is made on your end. This way I'll delete the old secret. Thanks :)

[1] https://github.com/mozilla/bugzilla-dashboard/blob/b1ebcad8bdefb33cec2ddaa1a5807f435475c644/src/config.js#L7
[2] https://tools.taskcluster.net/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg

Status: RESOLVED → REOPENED
Flags: needinfo?(cdenizet)
Resolution: FIXED → ---
See Also: 1578440

Chatted offline with Calixte: comment 2 doesn't work. This secret is used by an internal website. People must log in to be able to read this secret. Anybody in MoCo should be able to read it. Therefore, a secret under the project:relman namespace cannot be used.

Calixte and I backtracked who owns the original secret[1]: Armen[2] has only a single scope which is assume:project-admin:bugzilla-management-dashboard. This scope is expanded thanks to this meta-role[3].
The group Team MoCo[4] is meant to have read access on the original secret per its description:

Scopes for the team_moco ldap group.

This is all Mozilla Corporation employees. They can:

  • create and modify hooks with the garbage hookGroupId
  • view phonebook secrets

The last item is implemented by giving the group this assume scope assume:project:bugzilla-management-dashboard:view-phonebook[5]. Once expanded, the assume scope provides secrets:get:project/bugzilla-management-dashboard/* which allows anybody in the MoCo group to read any secret under the namespace project/bugzilla-management-dashboard/.

Long story short: Calixte and I chose to keep the old secret and update it. To do so, I gave the releasemgt group[6] the scope assume:project-admin:bugzilla-management-dashboard. Armen, does this solution sound good to you?

Calixte, can you let me know once this solution has been tested end-to-end? This way, I'll delete the secret we wrongly created in comment 2.

[1] https://tools.taskcluster.net/secrets/project%2Fbugzilla-management-dashboard%2FrealOrg
[2] https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla-auth0%2Fad|Mozilla-LDAP|armenzg
[3] https://tools.taskcluster.net/auth/roles/project-admin%3A*
[4] https://tools.taskcluster.net/auth/roles/mozilla-group%3Ateam_moco
[5] https://tools.taskcluster.net/auth/roles/project%3Abugzilla-management-dashboard%3Aview-phonebook
[6] https://tools.taskcluster.net/auth/roles/mozilla-group%3Avpn_releasemgt

Flags: needinfo?(armenzg)

Long story short: Calixte and I chose to keep the old secret and update it. To do so, I gave the releasemgt group[6] the scope assume:project-> admin:bugzilla-management-dashboard. Armen, does this solution sound good to you?

It makes sense.

Perhaps we need a note on the project to say: "If you ever own this project and need to write to the realOrg secret request via X component for Y scope to be given to the account".

Calixte, my apologies if I did not document this!

Flags: needinfo?(armenzg)

:armen, no problem thanks to that I learnt some things about TC.
:jlorenzo, you can delete the useless secret we created, everything works fine now :).

Flags: needinfo?(cdenizet)

Okay, done! [1] is no more!

[1] https://tools.taskcluster.net/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED

Can I get access to this again at its new location, thanks.
https://firefox-ci-tc.services.mozilla.com/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Hi Mike!

I'm sorry, neither the secret your pointed out nor project/bugzilla-management-dashboard/realOrg exist on https://firefox-ci-tc.services.mozilla.com/secrets/. Therefore, I cannot provide you this access. I don't know what's the status of this project nowadays. The secret might have disappeared because of the Taskcluster split that occurred a month ago (see bug 1594010, for instance).

So, because the work is different, I'm going to close this bug. Feel free to open a new one in case you know what to do with this secret.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
See Also: → 1594010
You need to log in before you can comment on or make changes to this bug.