Closed Bug 1600627 Opened 6 years ago Closed 6 years ago

Whitelist CFR personalization instance to allow writes to RemoteSettings

Categories

(Cloud Services :: Server: Remote Settings, task)

Product:
Cloud Services
Component:
Server: Remote Settings
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: vng, Assigned: vng)

References

Details

I need a whitelisted IP to allow write permission into Remote Settings.

We are running a personalization experiment for CFR which requires us to write records out to RemoteSettings.

We will be standing up a server container in google compute engine which needs to be able to write to the Remote Settings server.

The writes will be automated with an update occurring every hour - we will not be using the human multi-signoff workflow.

It's not clear to me if I need to automate the multi-signoff workflow using two authenticated users or if a new Kinto user can be provisioned into both editor and reviewer roles for a specific collection. The API appears to only allow review to occur on a bucket level.

Flags: needinfo?(mathieu)

This is something that Wei or Sven can do.

Assignee: mathieu → wezhou
Flags: needinfo?(wezhou)
Flags: needinfo?(sven)
Flags: needinfo?(mathieu)

Well, you need to provide a static IP for us so that we can whitelist that on the remote settings side.

That said, remote settings is a service with some amount of importance, generally we should not allow developer managed service to have write access to it. I'm cc'ing Julien for his opinion on this, or maybe his team wants to do RRA on your software before it is allowed to write into remote settings (if it hasn't been done).

Thanks.

Flags: needinfo?(wezhou)
Flags: needinfo?(sven)
Flags: needinfo?(jvehent)

Thanks for flagging this, Wei. We ran the RRA a couple weeks ago. Conclusions are at https://bugzilla.mozilla.org/show_bug.cgi?id=1595178#c3.

With that said, I was operating under the assumption that cloudops would run the container that talks to remote settings. We indeed do not allow services managed outside of cloudops to talk to kinto-writer directly. Can we get this ran by cloudops?

Flags: needinfo?(jvehent)

Thanks Julien for confirmation.

Can we get this ran by cloudops?

I wish I could answer that. :)

Victor, please chat with Habib and see if he can answer that question.

Thanks.

Assignee: wezhou → vng

After internal discussion, it looks like DataOps will manage this. They'll need Wei to acquire oauth user to access Remote Settings. Detailed permissions and secreview will still need to be completed.

:vng, please sync up with :jason to get this up and running.

Hi Victor,

If you haven't already, could you mimic https://bugzilla.mozilla.org/show_bug.cgi?id=1576989 and file a ticket for us? What we need is to create a user in remote settings that has permissions to write to whatever collections you have in mind.

Thanks.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.