Closed Bug 1663050 Opened 5 years ago Closed 4 years ago

Give users a clear way to remove taskcluster token (in case of errors on taskcluster side and new login token is needed)

Categories

(Tree Management :: Treeherder: Frontend, enhancement, P3)

Product:
Tree Management
Component:
Treeherder: Frontend
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aryx, Unassigned)

Details

Retriggering jobs from the Treeherder page broke for RyanVM and sheriff Bogdan today and for me yesterday evening.

Treeherder showed the error message:
Retrigger failed with Decision task: aHBbsd1hTy2effiq_oK6jA: Error: Client with clientId 'mozilla-auth0/ad|Mozilla-LDAP|archaeopteryx/treeherder-production-NmXdeG' is disabled

<dustin> "disabled" usually happens because your userid is now missing some scopes that client has
<dustin> I'm confused why logging out of all of those things wouldn't have created a new client though
<dustin> the named client (..NmXdeG) is from two days ago

The fix is to empty Treeherder's localstorage.

Workaround: Press Shift+F9, and clear the data for Cookies and Local Storage (right click onto treeherder.mozilla.org for each to get the action).

Sarah: Please prioritize this issue on Tuesday (or Cam if Sarah is on PTO).

Flags: needinfo?(sclements)

Retriggering still works, maybe the issue is resolved if the old data is deleted and the new one isn't affected by the issue.

Logging out of Treeherder doesn't automatically clean up the Taskcluster auth token, otherwise you'd have to do that whole extra auth login step every time you log in to Treeherder. Currently the taskcluster token is valid for 3 days, so there are checks for its validity before retriggering (and when logging in to TH). I'm not sure if changing it to remove this token every time a user is logged out is the way to go (and it sounded like the fix was to delete local storage if your taskcluster token - called userCredentials - hadn't expired).

Cam, Dustin - would it be a better practice to remove the taskcluster auth token upon a user logging out?

Flags: needinfo?(sclements)
Flags: needinfo?(dustin)
Flags: needinfo?(cdawson)

I think it is surprising that logging out doesn't "reset" things having to do with logins. So strictly from a least-surprise perspective, I'd say yes.

Whether that's additional nuisance for users depends how often users login to treeherder. If that's more often than every 3 days, then perhaps it makes sense to keep the TC credentials over logout/login. If that's the choice, then maybe some distinct way to clear the TC login would be useful.

Flags: needinfo?(dustin)

Well, logging out of TH does remove user session and auth0 tokens for TH itself, just not the specific taskcluster auth token for retriggering since those are two separate things now.

Currently, TH login is every 2 hours without activity (was previously 24 hours, but somehow got changed with the taskcluster/auth0 decoupling a while back). There's a bug on my to-do list to change it back to every 24 hours. So, yeah, it might create a nuisance to also renew that taskcluster token every 24 hours too but creating an easier way to clear that token might be a good way to go.

Flags: needinfo?(cdawson)
Type: defect → enhancement
Priority: -- → P3
Summary: retriggering/adding jobs broken: Error: Client with clientId 'mozilla-auth0/ad|Mozilla-LDAP|<ldaplocalpart>/treeherder-production-PnDg3t' is disabled → Give users a clear way to clear the taskcluster token in case of errors
Summary: Give users a clear way to clear the taskcluster token in case of errors → Give users a clear way to remove taskcluster token (in case of errors on taskcluster side and new login token is needed)

This was already addressed - token is removed when a user logs out.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.