If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

LDAP Access for AutolandTools

RESOLVED FIXED

Status

Infrastructure & Operations
RelOps
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: mjessome, Assigned: noahm)

Tracking

Details

(Reporter)

Description

6 years ago
We need a way to check user access permissions (L1/L3) when autolanding patches with the autoland tools.

See https://wiki.mozilla.org/BugzillaAutoLanding#Security

Thanks

Updated

6 years ago
Assignee: server-ops-releng → ebalangue
CCing Rob to check into this issue.
Assignee: ebalangue → server-ops-releng
I apologize but I'm not sure what needs done here. 

If someone could provide me with a scope of what needs done, I'll be more than happy to take care of it.
(Reporter)

Comment 3

6 years ago
Sorry for being unclear.

We are writing a set of tools that take flagged patches from bugzilla, autoland them to the try servers, and if all conditions met, to trunk.
In order to ensure that the reviewers/committers actually have the required credentials to perform these actions, our tools need to be able to check whether a given user (or set of users) have the correct bits set on their accounts specifying that they do, in fact, have the correct commit access level.
rtucker: This is early days, we'll need to sit down with our LDAP guru (is that you?) and figure out how to implement this well.
zandr:
I am not an LDAP guru, I do understand it pretty well, so perhaps I could help.

justdave and cshields would be who I would probably consider to be our ldap gurus.
I'm moving this over to the server ops general queue for more LDAP discussion.
Assignee: server-ops-releng → server-ops
Component: Server Operations: RelEng → Server Operations
QA Contact: zandr → mrz

Updated

6 years ago
Group: infra
(Reporter)

Updated

6 years ago
Blocks: 657832
(Reporter)

Comment 7

6 years ago
I  have just talked to catlee a bit about our requirements for this. Since it seems that authentication & permissions are necessary in order to search LDAP, we are wondering what is the best method to give an application permissions to search without the need for a specific user's credentials? Is it possible to give the machine access permissions without the need for authentication, or would we need credentials for the application to authenticate itself on each search?

Also, as mentioned before, the application is checking for user commit permissions -- How are these permission groups handled and stored on the Mozilla LDAP?
Component: Server Operations → Server Operations: RelEng
Assignee: server-ops → nmeyerhans
Group: infra
(Assignee)

Comment 8

6 years ago
1. An ldap bind user is required.  This will be a username/password pair that can authenticate to ldap and query it for group memberships for a given username.  I'll create this user and communicate the details to Marc out-of-band.

2. Details about how vcs permissions:  The ldap group you care about is cn=scm_level_1,ou=groups,dc=mozilla (and scm_level_2, etc).  You should be able to check that a given user (identified by email address) is in this group.
Status: NEW → ASSIGNED
(Assignee)

Comment 9

6 years ago
Actually, if the machines where this service will run are already integrated into ldap, you should be able to query for group membership locally.  For example, on the master hg hosts, I can run "groups nmeyerhans@mozilla.com" and get a list of the ldap groups of which I'm a member.  If this works on your systems, you don't need to talk directly to ldap at all and don't need a bind user.  If that works for you, it's a preferable solution from my point of view.
I don't think that will work because we need to query based on both ldap username and bugzilla username.
(Assignee)

Comment 11

6 years ago
I'm not sure you'll be able to query based on bugzilla username.  There's no mapping between bugzilla usernames and scm_level_* membership.
(Reporter)

Comment 12

6 years ago
(In reply to comment #11)
> I'm not sure you'll be able to query based on bugzilla username.  There's no
> mapping between bugzilla usernames and scm_level_* membership.

I think what catlee meant to say was that we would search for the LDAP username by querying using the bugzilla_email field in the user's LDAP entry. This seems to be the only connection between a bugzilla and LDAP identities. AFAIK though, bugzilla_email is not a mandatory field in a user's LDAP account.
Status: ASSIGNED → NEW
(Assignee)

Comment 13

6 years ago
I've created uid=autolanduser,ou=logins,dc=mozilla in ldap and communicated the password to Marc.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Blocks: 666860
Component: Server Operations: RelEng → RelOps
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.