Add scope secrets:set:project/bugzilla-management-dashboard/realOrg
Categories
(Taskcluster :: Operations and Service Requests, task)
Tracking
(Not tracked)
People
(Reporter: calixte, Unassigned)
References
Details
In order to be able to modify secret for https://github.com/mozilla/bugzilla-dashboard, could you add scope secrets:set:project/bugzilla-management-dashboard/realOrg to group mozilla-group:vpn_releasemgt ?
Comment 1•5 years ago
|
||
I did the same thing as bug 1578440 comment 4 and created https://tools.taskcluster.net/auth/roles/project%3Arelman%3Abugzilla-dashboard%2Fadmins. Please let me know if it doesn't work!
Comment 2•5 years ago
|
||
I misread the request and it's actually not as similar as bug 1578440. Reopening the bug.
I chatted with Calixte, the secret is only used at [1]. Now Release Management owns this project. Therefore, Calixte created [2]. He'll change [1] to point to the new secret instead.
In the meantime, I removed the role I created in comment 1. There's no need for it at the moment.
Calixte, please ping me once the change is made on your end. This way I'll delete the old secret. Thanks :)
[1] https://github.com/mozilla/bugzilla-dashboard/blob/b1ebcad8bdefb33cec2ddaa1a5807f435475c644/src/config.js#L7
[2] https://tools.taskcluster.net/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg
Comment 3•5 years ago
|
||
Chatted offline with Calixte: comment 2 doesn't work. This secret is used by an internal website. People must log in to be able to read this secret. Anybody in MoCo should be able to read it. Therefore, a secret under the project:relman
namespace cannot be used.
Calixte and I backtracked who owns the original secret[1]: Armen[2] has only a single scope which is assume:project-admin:bugzilla-management-dashboard
. This scope is expanded thanks to this meta-role[3].
The group Team MoCo[4] is meant to have read access on the original secret per its description:
Scopes for the
team_moco
ldap group.This is all Mozilla Corporation employees. They can:
- create and modify hooks with the
garbage
hookGroupId- view phonebook secrets
The last item is implemented by giving the group this assume scope assume:project:bugzilla-management-dashboard:view-phonebook
[5]. Once expanded, the assume scope provides secrets:get:project/bugzilla-management-dashboard/*
which allows anybody in the MoCo group to read any secret under the namespace project/bugzilla-management-dashboard/
.
Long story short: Calixte and I chose to keep the old secret and update it. To do so, I gave the releasemgt
group[6] the scope assume:project-admin:bugzilla-management-dashboard
. Armen, does this solution sound good to you?
Calixte, can you let me know once this solution has been tested end-to-end? This way, I'll delete the secret we wrongly created in comment 2.
[1] https://tools.taskcluster.net/secrets/project%2Fbugzilla-management-dashboard%2FrealOrg
[2] https://tools.taskcluster.net/auth/roles/login-identity%3Amozilla-auth0%2Fad|Mozilla-LDAP|armenzg
[3] https://tools.taskcluster.net/auth/roles/project-admin%3A*
[4] https://tools.taskcluster.net/auth/roles/mozilla-group%3Ateam_moco
[5] https://tools.taskcluster.net/auth/roles/project%3Abugzilla-management-dashboard%3Aview-phonebook
[6] https://tools.taskcluster.net/auth/roles/mozilla-group%3Avpn_releasemgt
Comment 4•5 years ago
|
||
Long story short: Calixte and I chose to keep the old secret and update it. To do so, I gave the releasemgt group[6] the scope assume:project-> admin:bugzilla-management-dashboard. Armen, does this solution sound good to you?
It makes sense.
Perhaps we need a note on the project to say: "If you ever own this project and need to write to the realOrg
secret request via X component for Y scope to be given to the account".
Calixte, my apologies if I did not document this!
Reporter | ||
Comment 5•5 years ago
|
||
:armen, no problem thanks to that I learnt some things about TC.
:jlorenzo, you can delete the useless secret we created, everything works fine now :).
Comment 6•5 years ago
|
||
Okay, done! [1] is no more!
[1] https://tools.taskcluster.net/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg
Comment 7•5 years ago
|
||
Can I get access to this again at its new location, thanks.
https://firefox-ci-tc.services.mozilla.com/secrets/project%2Frelman%2Fbugzilla-dashboard%2FrealOrg
Comment 8•5 years ago
|
||
Hi Mike!
I'm sorry, neither the secret your pointed out nor project/bugzilla-management-dashboard/realOrg
exist on https://firefox-ci-tc.services.mozilla.com/secrets/. Therefore, I cannot provide you this access. I don't know what's the status of this project nowadays. The secret might have disappeared because of the Taskcluster split that occurred a month ago (see bug 1594010, for instance).
So, because the work is different, I'm going to close this bug. Feel free to open a new one in case you know what to do with this secret.
Description
•