We need a way to check user access permissions (L1/L3) when autolanding patches with the autoland tools. See https://wiki.mozilla.org/BugzillaAutoLanding#Security Thanks
CCing Rob to check into this issue.
I apologize but I'm not sure what needs done here. If someone could provide me with a scope of what needs done, I'll be more than happy to take care of it.
Sorry for being unclear. We are writing a set of tools that take flagged patches from bugzilla, autoland them to the try servers, and if all conditions met, to trunk. In order to ensure that the reviewers/committers actually have the required credentials to perform these actions, our tools need to be able to check whether a given user (or set of users) have the correct bits set on their accounts specifying that they do, in fact, have the correct commit access level.
rtucker: This is early days, we'll need to sit down with our LDAP guru (is that you?) and figure out how to implement this well.
zandr: I am not an LDAP guru, I do understand it pretty well, so perhaps I could help. justdave and cshields would be who I would probably consider to be our ldap gurus.
I'm moving this over to the server ops general queue for more LDAP discussion.
I have just talked to catlee a bit about our requirements for this. Since it seems that authentication & permissions are necessary in order to search LDAP, we are wondering what is the best method to give an application permissions to search without the need for a specific user's credentials? Is it possible to give the machine access permissions without the need for authentication, or would we need credentials for the application to authenticate itself on each search? Also, as mentioned before, the application is checking for user commit permissions -- How are these permission groups handled and stored on the Mozilla LDAP?
1. An ldap bind user is required. This will be a username/password pair that can authenticate to ldap and query it for group memberships for a given username. I'll create this user and communicate the details to Marc out-of-band. 2. Details about how vcs permissions: The ldap group you care about is cn=scm_level_1,ou=groups,dc=mozilla (and scm_level_2, etc). You should be able to check that a given user (identified by email address) is in this group.
Actually, if the machines where this service will run are already integrated into ldap, you should be able to query for group membership locally. For example, on the master hg hosts, I can run "groups email@example.com" and get a list of the ldap groups of which I'm a member. If this works on your systems, you don't need to talk directly to ldap at all and don't need a bind user. If that works for you, it's a preferable solution from my point of view.
I don't think that will work because we need to query based on both ldap username and bugzilla username.
I'm not sure you'll be able to query based on bugzilla username. There's no mapping between bugzilla usernames and scm_level_* membership.
(In reply to comment #11) > I'm not sure you'll be able to query based on bugzilla username. There's no > mapping between bugzilla usernames and scm_level_* membership. I think what catlee meant to say was that we would search for the LDAP username by querying using the bugzilla_email field in the user's LDAP entry. This seems to be the only connection between a bugzilla and LDAP identities. AFAIK though, bugzilla_email is not a mandatory field in a user's LDAP account.
I've created uid=autolanduser,ou=logins,dc=mozilla in ldap and communicated the password to Marc.