Logging into staging taskcluster does not grant roles associated to mozilla-groups et al
Categories
(Cloud Services :: Operations: Taskcluster, defect)
Tracking
(Not tracked)
People
(Reporter: tomprince, Assigned: edunham)
References
Details
On taskcluster.net, I get various scopes associated to groups like assume:mozilla-group:releng. I'd expect this to happen on staging as well, and it isn't currently happening.
|
||
Comment 1•6 years ago
|
||
The mozilla auth0 client being used for the staging site doesn't seem to be authorized to access that kind of information. We should probably ask someone from the IAM team to update the client with the necessary permissions.
|
||
Comment 2•6 years ago
|
||
We should add something to the deployment docs about it, too.
|
|
||
Comment 4•6 years ago
|
||
Hassan, can you update the docs with the right thing to ask, and then cloudops can ask it?
|
|
||
Comment 5•6 years ago
|
||
|
|
||
Comment 6•6 years ago
|
||
Awesome. @edunham, can you update the request or otherwise coordinate with jabba / IAM folks to set up the permissions mentioned in that PR?
|
||
Updated•6 years ago
|
I worked with Jabba on this yesterday and I think the auth0 settings there now match the FirefoxCI cluster. Could you test to see if this is still an issue please?
|
Reporter | |
Comment 8•6 years ago
|
||
This still appears to be problem. When I log in to staging and look at https://stage.taskcluster.nonprod.cloudops.mozgcp.net/profile I see just an assume:login-identity:... scope. When I log in to firefox-ci and look at https://firefox-ci-tc.services.mozilla.com/profile I see a bunch of assume:mozilla-group:... scopes, corresponding to the non hris_ prefixed groups on https://sso.mozilla.com/info.
|
|
||
Comment 9•6 years ago
|
||
Seems to work now.
Description
•