If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Need an LDAP account for automation

RESOLVED FIXED

Status

Infrastructure & Operations
Infrastructure: Other
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: mdas, Assigned: jabba)

Tracking

Details

Attachments

(1 attachment, 1 obsolete attachment)

As described in Bug 733836, I'm setting up some automation to mirror a git repository to an hg repo in hg.mozilla.org. I want this automation to have its own LDAP account, and to grant it commit access only certain hg.mozilla.org/projects. 

Automated mirroring is something that our team is going be involved with more, so being able to grant commit access to a select few repositories in hg.mozilla.org would be the right way to go about it in the event that any of these automation machines get compromised.

Updated

6 years ago
Assignee: desktop-support → aignacio

Updated

6 years ago
Assignee: aignacio → mozillamarcia.knous
Component: Server Operations: Account Requests → Repository Account Requests
QA Contact: tfairfield → repo-acct-req
Malini: I imagine you want something similar to Bug 531141?
Maybe, if the calbld user has restricted access to only certain repos (under hg.mozilla.org/projects for us specifically). I didn't find the bug very clear.
This is a server-ops task. I'm guessing that this kind of restricted HG account is going to be troublesome to implement, given the current levels setup.

Which exact repositories do you want this account to have access to?
Assignee: mozillamarcia.knous → server-ops-devservices
Component: Repository Account Requests → Server Operations: Developer Services
QA Contact: repo-acct-req → shyam
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #3)
> This is a server-ops task. I'm guessing that this kind of restricted HG
> account is going to be troublesome to implement, given the current levels
> setup.
> 
> Which exact repositories do you want this account to have access to?

The repository in question is yet to be created (Bug 733836), but this is going to be an automation LDAP account, so as more projects on the ateam's side need repository automation, more repositories will be added. At the moment, I'll just need access to the repository created in Bug 733836.
We will be running our automation from an internal machine, so we won't need to restrict its commit access to particular repositories.

We now only need this account to have level 2 commit access. Any idea when we can get this LDAP account created?
LDAP stuff is handled by the infra team, reassigning.
Assignee: server-ops-devservices → server-ops-infra
Component: Server Operations: Developer Services → Server Operations: Infrastructure
QA Contact: shyam → jdow
(Assignee)

Updated

6 years ago
Assignee: server-ops-infra → jdow
(Assignee)

Comment 7

6 years ago
I'll need:

The name of the account
a public ssh key for the account
an ack from gavin to grant scm_level_2 privileges
Created attachment 615938 [details]
ssh pub key

Hey there,

"automation" should be a good name for the account. If that's taken, then "ateamauto" should be fine.
Summary: Need a restricted LDAP account for automation → Need an LDAP account for automation
Created attachment 615949 [details]
ssh pub key

The previous public key was for an older automation machine. Updating the attachment for the new machine.
Attachment #615938 - Attachment is obsolete: true
(Assignee)

Comment 10

6 years ago
Ok, account is created, pubkey associated. The account is uid=ateamauto,ou=logins,dc=mozilla and has the "mail" attribute of "ateamauto@mozilla.com", which is a dummy mail address, but that is the username needed for hg, so the machine's ~/.ssh/config will need these lines in it:

Host hg.mozilla.org
User ateamauto@mozilla.com

It's all set to go, but I'm waiting for the ack for addition to the scm_level_1 and scm_level_2 groups.
Go ahead and enable scm_level_1/scm_level_2.
(Assignee)

Comment 12

6 years ago
Done! You should be good to go here.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.