As described in Bug 733836, I'm setting up some automation to mirror a git repository to an hg repo in hg.mozilla.org. I want this automation to have its own LDAP account, and to grant it commit access only certain hg.mozilla.org/projects. Automated mirroring is something that our team is going be involved with more, so being able to grant commit access to a select few repositories in hg.mozilla.org would be the right way to go about it in the event that any of these automation machines get compromised.
Assignee: aignacio → mozillamarcia.knous
Component: Server Operations: Account Requests → Repository Account Requests
QA Contact: tfairfield → repo-acct-req
Malini: I imagine you want something similar to Bug 531141?
Maybe, if the calbld user has restricted access to only certain repos (under hg.mozilla.org/projects for us specifically). I didn't find the bug very clear.
This is a server-ops task. I'm guessing that this kind of restricted HG account is going to be troublesome to implement, given the current levels setup. Which exact repositories do you want this account to have access to?
Assignee: mozillamarcia.knous → server-ops-devservices
Component: Repository Account Requests → Server Operations: Developer Services
QA Contact: repo-acct-req → shyam
(In reply to Gavin Sharp (use firstname.lastname@example.org for email) from comment #3) > This is a server-ops task. I'm guessing that this kind of restricted HG > account is going to be troublesome to implement, given the current levels > setup. > > Which exact repositories do you want this account to have access to? The repository in question is yet to be created (Bug 733836), but this is going to be an automation LDAP account, so as more projects on the ateam's side need repository automation, more repositories will be added. At the moment, I'll just need access to the repository created in Bug 733836.
We will be running our automation from an internal machine, so we won't need to restrict its commit access to particular repositories. We now only need this account to have level 2 commit access. Any idea when we can get this LDAP account created?
LDAP stuff is handled by the infra team, reassigning.
Assignee: server-ops-devservices → server-ops-infra
Component: Server Operations: Developer Services → Server Operations: Infrastructure
QA Contact: shyam → jdow
I'll need: The name of the account a public ssh key for the account an ack from gavin to grant scm_level_2 privileges
Created attachment 615938 [details] ssh pub key Hey there, "automation" should be a good name for the account. If that's taken, then "ateamauto" should be fine.
Summary: Need a restricted LDAP account for automation → Need an LDAP account for automation
Created attachment 615949 [details] ssh pub key The previous public key was for an older automation machine. Updating the attachment for the new machine.
Attachment #615938 - Attachment is obsolete: true
Ok, account is created, pubkey associated. The account is uid=ateamauto,ou=logins,dc=mozilla and has the "mail" attribute of "email@example.com", which is a dummy mail address, but that is the username needed for hg, so the machine's ~/.ssh/config will need these lines in it: Host hg.mozilla.org User firstname.lastname@example.org It's all set to go, but I'm waiting for the ack for addition to the scm_level_1 and scm_level_2 groups.
Go ahead and enable scm_level_1/scm_level_2.
Done! You should be good to go here.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.