New third party login for taskcluster deployments is confusing
Categories
(Tree Management :: Treeherder: Frontend, enhancement, P2)
Tracking
(Not tracked)
People
(Reporter: Sylvestre, Assigned: sclements)
Details
Fails with:
Taskcluster: This request requires Taskcluster credentials that satisfy the following scope expression: hooks:trigger-hook:project-gecko/in-tree-action-1-generic/ea5d85cbef
--- * method: triggerHook * errorCode: InsufficientScopes * statusCode: 403 * time: 2019-11-18T10:06:13.257Z
I guess it is called by the tc migration
Reporter | ||
Comment 1•5 years ago
•
|
||
Add a new job is failing
Taskcluster: This request requires Taskcluster credentials that satisfy the following scope expression: hooks:trigger-hook:project-gecko/in-tree-action-1-generic/ea5d85cbef
--- * method: triggerHook * errorCode: InsufficientScopes * statusCode: 403 * time: 2019-11-18T10:20:57.765Z
Reporter | ||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
Sylvestre just showed me what problem he had, it's actually just the tip of the iceberg and not the root cause. Here's what Sylvestre was doing:
- On Treeherder, while logged in, he tried to add new jobs
- It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder
- On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.
When I came to Sylvestre's I realized the Taskcluster tab was asking him to log in. Once he did, he could repeat step 1 and it worked.
Maybe we had the same issue with taskcluster.net. Although, Sylvestre says he's never seen it before and he doesn't remember having to deal with Taskcluster in this context. He doesn't think he was logged in either.
Hassan, do you think there's anything we can do to improve the user experience?
Comment 3•5 years ago
•
|
||
(In reply to Johan Lorenzo [:jlorenzo] from comment #2)
- It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder
The next deployment of Taskcluster UI will instruct the user to sign in to provide TC credentials to Treeherder. However, if the Taskcluster UI tab is ignored, then the user won't know. In that case, we could probably do something from the Treeherder side.
- On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.
The Treeherder UI could probably show a notification message when a user tries to login or when TC credentials are expired to instruct the user to complete the credential fetching flow. sclements, thoughts?
Assignee | ||
Comment 4•5 years ago
•
|
||
(In reply to Hassan Ali (:hassan) from comment #3)
(In reply to Johan Lorenzo [:jlorenzo] from comment #2)
- It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder
The next deployment of Taskcluster UI will instruct the user to sign in to provide TC credentials to Treeherder. However, if the Taskcluster UI tab is ignored, then the user won't know. In that case, we could probably do something from the Treeherder side.
- On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.
The Treeherder UI could probably show a notification message when a user tries to login or when TC credentials are expired to instruct the user to complete the credential fetching flow. sclements, thoughts?
That would not be simple to do. Different parts of the app (Treeherder, Perfherder, etc) use different notification systems and are not united with a top level component. My first iteration did include a message stating that taskcluster credentials are required first but users thought it looked like an error, rather than a useful note (probably because I had to use throw Error
which shows it with a red banner).
However, once a new tab is opened, it does give a message showing its logging in and retrieving taskcluster credentials (or just retrieving taskcluster credentials if already logged in and the credentials have expired by the time user performs an action).
Assignee | ||
Comment 5•5 years ago
|
||
Maybe we had the same issue with taskcluster.net. Although, Sylvestre says he's never seen it before and he doesn't remember having to deal with Taskcluster in this context. He doesn't think he was logged in either.
Treeherder no longer gets taskcluster.net credentials from auth0, which is also used for logging in/user and session management. Those are now separate and Treeherder holds credentials for multiple taskcluster deployments - firefox-ci and community-ci. You will continue to see the new tab open whenever credentials expire - whether this happens during login or separately when an action is performed.
In retrospect, an email notifying people of the differences in logging in/performing taskcluster actions would've made this less confusing.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Comment 6•5 years ago
|
||
(In reply to Sarah Clements [:sclements] from comment #4)
That would not be simple to do. Different parts of the app (Treeherder, Perfherder, etc) use different notification systems and are not united with a top level component. My first iteration did include a message stating that taskcluster credentials are required first but users thought it looked like an error, rather than a useful note (probably because I had to use
throw Error
which shows it with a red banner).
An info (bluish) banner would be good. Is that something we could do?
Assignee | ||
Comment 7•5 years ago
|
||
I don't think it'll be a simple change as mentioned in comment #4, but I'll look into it when I have time.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
•
|
||
Is this still relevant :Sylvestre? I tried retriggering some jobs (deleting my userCredentials
in local storage first) and the redirect to the taskcluster login happens so quickly and seamlessly thanks to improvements Hassan made a while back. The only place I'm thinking that could use some improvement is to show a banner in Treeherder when that happens, in case someone quickly kills the new window. Or maybe the message on that new window could be more specific than just "Getting taskcluster credentials"?
Assignee | ||
Comment 9•4 years ago
|
||
I'm going to close this since I haven't received any feedback on what to change. Please reopen if it's still an issue.
Description
•