changes to hg.m.o permissions for level 3 access on Nov 14
Categories
(Developer Services :: Mercurial: hg.mozilla.org, task)
Tracking
(Not tracked)
People
(Reporter: kmoir, Unassigned)
References
Details
Attachments
(2 files)
As discussed, we will changing reducing the right to push to hg.mozilla.org via ssh for level 3 folks. In order to do this the steps are to
change permissions on hg.mozilla.org for the following repos from scm_level_3 to scm_allow_direct_push.
mozilla-central
mozilla-inbound
mozilla-beta
mozilla-release
esr repos
Also, we need to fix and/or disable the lando required/manual push hook.
Target for this work is Nov 14 but let me know if this doesn't work and I can change the announcement.
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Completing this bug should be as simple as running the following command for each repo, and then running hg replicatesync on the repo:
$ /var/hg/version-control-tools/scripts/repo-permissions $repo hg scm_allow_direct_push wwr
Then deactivating the Lando required/manual push hook, either by removing the code or turning the hook off (by removing mozilla.lando_required_repo_list from the hgssh hgrc file).
Leaving this information here for future reference, or in case I'm unable to do the change and someone else needs to take over.
|
||
Comment 2•5 years ago
|
||
Suggestion: make a copy of one of the repos and run that command on it to get an idea of the timing. I know that the script is faster than chmod -R, but it's not instantaneous. I have vague worries about a push happening in the middle of the update and perms getting out of whack, but I think that's more "what could possibly go wrong" than "what's likely to break".
|
|
Reporter | |
Comment 3•5 years ago
|
||
Sebastian - I talked Connor about this this morning and he estimates it will take about 5 min per repo to change the permissions. Would it be possible to close the trees for
mozilla-central
mozilla-inbound
mozilla-beta
mozilla-release
esr repos
at 10am ET on the Nov 14 to allow him to make the change. If not, let us know what would be a better time.
|
|
Reporter | |
Comment 5•5 years ago
|
||
To clarify the requirements above for the hook, it would be great if we continued to track the folks who have direct access via scm_allow_direct_push via the hook.
|
|
||
Comment 6•5 years ago
|
||
Repo permissions changed on:
- mozilla-central
- integration/mozilla-inbound
- releases/mozilla-beta
- releases/mozilla-release
- releases/mozilla-esr10
- releases/mozilla-esr17
- releases/mozilla-esr24
- releases/mozilla-esr31
- releases/mozilla-esr38
- releases/mozilla-esr45
- releases/mozilla-esr52
- releases/mozilla-esr60
- releases/mozilla-esr68
Verified by visiting https://hg.mozilla.org/<repo>/repoinfo, ie https://hg.mozilla.org/mozilla-central/repoinfo
Probably not entirely necessary on most of those ESR repos, but I changed them anyway. Trees are being re-opened, we'll wait and see if anything breaks.
Pushed by cosheehan@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/4d4012c0a50f
ansible/hg-ssh: remove central and inbound from lando_required_repo_list config
|
||
Comment 8•5 years ago
|
||
Repostories with direct-push disabled, have level-3 premissions. Adjust the
premissions check to support that.
|
||
Comment 9•5 years ago
|
||
Please revisit the level descriptions in hg_helper.py, in particular scm_level_3 and scm_allow_direct_push. Anyone sshing into hg.m.o is getting old information, which doesn't help if they missed the changes to level 3.
|
|
Reporter | |
Updated•5 years ago
|
|
|
||
Comment 10•5 years ago
|
||
Users of hgmo can directly SSH into the service using their LDAP
key and username, which displays a short prompt indicating their
SCM level and which repos they have access to. After updating
the production Firefox repos to require an extra level of access
for direct pushes, the repos able to be accessed need an update.
|
||
Comment 11•5 years ago
|
||
Pushed by cosheehan@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/4dc115448989
pash: update scm level descriptions r=glob
Description
•