Closed Bug 1597205 Opened 5 years ago Closed 4 years ago

New third party login for taskcluster deployments is confusing

Categories

(Tree Management :: Treeherder: Frontend, enhancement, P2)

Product:
Tree Management
Component:
Treeherder: Frontend
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: Sylvestre, Assigned: sclements)

Details

Fails with:
Taskcluster: This request requires Taskcluster credentials that satisfy the following scope expression: hooks:trigger-hook:project-gecko/in-tree-action-1-generic/ea5d85cbef --- * method: triggerHook * errorCode: InsufficientScopes * statusCode: 403 * time: 2019-11-18T10:06:13.257Z

I guess it is called by the tc migration

Add a new job is failing

Taskcluster: This request requires Taskcluster credentials that satisfy the following scope expression: hooks:trigger-hook:project-gecko/in-tree-action-1-generic/ea5d85cbef --- * method: triggerHook * errorCode: InsufficientScopes * statusCode: 403 * time: 2019-11-18T10:20:57.765Z

Summary: "Trigger all talos job" is failing with InsufficientScopes → "Add new job" & "Trigger all talos job" are failing with InsufficientScopes

Sylvestre just showed me what problem he had, it's actually just the tip of the iceberg and not the root cause. Here's what Sylvestre was doing:

  1. On Treeherder, while logged in, he tried to add new jobs
  2. It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder
  3. On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.

When I came to Sylvestre's I realized the Taskcluster tab was asking him to log in. Once he did, he could repeat step 1 and it worked.

Maybe we had the same issue with taskcluster.net. Although, Sylvestre says he's never seen it before and he doesn't remember having to deal with Taskcluster in this context. He doesn't think he was logged in either.

Hassan, do you think there's anything we can do to improve the user experience?

Component: Treeherder: Frontend → UI
Flags: needinfo?(helfi92)
Product: Tree Management → Taskcluster
Summary: "Add new job" & "Trigger all talos job" are failing with InsufficientScopes → [Firefox-CI instance] Being logged in on Treeherder doesn't automatically log you on https://firefox-ci-tc.services.mozilla.com/
Version: --- → unspecified

(In reply to Johan Lorenzo [:jlorenzo] from comment #2)

  1. It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder

The next deployment of Taskcluster UI will instruct the user to sign in to provide TC credentials to Treeherder. However, if the Taskcluster UI tab is ignored, then the user won't know. In that case, we could probably do something from the Treeherder side.

  1. On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.

The Treeherder UI could probably show a notification message when a user tries to login or when TC credentials are expired to instruct the user to complete the credential fetching flow. sclements, thoughts?

Flags: needinfo?(helfi92) → needinfo?(sclements)

(In reply to Hassan Ali (:hassan) from comment #3)

(In reply to Johan Lorenzo [:jlorenzo] from comment #2)

  1. It opened a new Taskcluster tab (on the Firefox CI instance), which Sylvestre ignored because to him, he's just dealing with Treeherder. He didn't close the tab, he just went to Treehreder

The next deployment of Taskcluster UI will instruct the user to sign in to provide TC credentials to Treeherder. However, if the Taskcluster UI tab is ignored, then the user won't know. In that case, we could probably do something from the Treeherder side.

  1. On Treeherder, there was no message saying it's waiting to hear back from Taskcluster, instead it showed the error showed on comment 0.

The Treeherder UI could probably show a notification message when a user tries to login or when TC credentials are expired to instruct the user to complete the credential fetching flow. sclements, thoughts?

That would not be simple to do. Different parts of the app (Treeherder, Perfherder, etc) use different notification systems and are not united with a top level component. My first iteration did include a message stating that taskcluster credentials are required first but users thought it looked like an error, rather than a useful note (probably because I had to use throw Error which shows it with a red banner).

However, once a new tab is opened, it does give a message showing its logging in and retrieving taskcluster credentials (or just retrieving taskcluster credentials if already logged in and the credentials have expired by the time user performs an action).

Flags: needinfo?(sclements)

Maybe we had the same issue with taskcluster.net. Although, Sylvestre says he's never seen it before and he doesn't remember having to deal with Taskcluster in this context. He doesn't think he was logged in either.

Treeherder no longer gets taskcluster.net credentials from auth0, which is also used for logging in/user and session management. Those are now separate and Treeherder holds credentials for multiple taskcluster deployments - firefox-ci and community-ci. You will continue to see the new tab open whenever credentials expire - whether this happens during login or separately when an action is performed.

In retrospect, an email notifying people of the differences in logging in/performing taskcluster actions would've made this less confusing.

Summary: [Firefox-CI instance] Being logged in on Treeherder doesn't automatically log you on https://firefox-ci-tc.services.mozilla.com/ → New third party login is confusing
Summary: New third party login is confusing → New third party login for taskcluster deployments is confusing

(In reply to Sarah Clements [:sclements] from comment #4)

That would not be simple to do. Different parts of the app (Treeherder, Perfherder, etc) use different notification systems and are not united with a top level component. My first iteration did include a message stating that taskcluster credentials are required first but users thought it looked like an error, rather than a useful note (probably because I had to use throw Error which shows it with a red banner).

An info (bluish) banner would be good. Is that something we could do?

Flags: needinfo?(sclements)

I don't think it'll be a simple change as mentioned in comment #4, but I'll look into it when I have time.

Flags: needinfo?(sclements)
Assignee: nobody → sclements
Status: NEW → ASSIGNED
Type: defect → enhancement
Priority: -- → P2
Severity: critical → normal
Component: UI → Treeherder: Frontend
Product: Taskcluster → Tree Management
Version: unspecified → ---

Is this still relevant :Sylvestre? I tried retriggering some jobs (deleting my userCredentials in local storage first) and the redirect to the taskcluster login happens so quickly and seamlessly thanks to improvements Hassan made a while back. The only place I'm thinking that could use some improvement is to show a banner in Treeherder when that happens, in case someone quickly kills the new window. Or maybe the message on that new window could be more specific than just "Getting taskcluster credentials"?

Flags: needinfo?(sledru)

I'm going to close this since I haven't received any feedback on what to change. Please reopen if it's still an issue.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(sledru)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.