Example of recent occurrence: https://chromium-swarm.appspot.com/task?id=355946cbd72a2a10&refresh=10&show_raw=1

The service account used there is in project-fuchsia-bots group, which is included by luci-logdog-fuchsia-writers group, which is specified in the logdog config for Fuchsia: https://fuchsia.googlesource.com/manifest/+/infra/config/luci-logdog.cfg

So the idea here would be to run a cron task, say, every minute, and have it:

1) Create a single IAM policy for publishing.
2) In a cron job, every (say) minute:
2a) Load latest auth for all publishers.
2b) Load IAM policy, diff account list, add/update accounts, write policy.

Actually, is this something "chrome-infra-auth" could do automatically? It already owns the accounts and knows when things change. What if we could bind CIA groups to IAM policies?

> 1) Create a single IAM policy for publishing.

Not sure what you mean by that. It seems Logdog currently requires all butlers to have "PubSub Publisher" and "PubSub Viewer" in projects/luci-logdog/topics/logs topic. We need to programmatically start managing IAM policy of 'projects/luci-logdog/topics/logs' object. It is currently managed by button clicking in Pantheon.

> 2) In a cron job, every (say) minute:
> 2a) Load latest auth for all publishers.
> 2b) Load IAM policy, diff account list, add/update accounts, write policy.

The problem with this approach is that strictly speaking there's no way to list all members of a group (because we support globs).

Alternatively, coordinator can add new accounts to the policy when handling prefix registration RPC:
1. RegisterPrefix RPC comes in.
2. Logdog does ACL check (as usual), using IsGroupMember.
3. Logdog checks that the account has correct role in IAM policy for the topic. Updates the policy if not. (This check can be easily cached).
4. Periodically, a cron fetches existing IAM policy for the topic, enumerates all accounts there, and verifies (again, using IsGroupMember) that all accounts belong to some authorized Logdog write groups.

> Actually, is this something "chrome-infra-auth" could do automatically? It already owns the accounts and knows when things change. What if we could bind CIA groups to IAM policies?

This seems like a premature generalization to me. It will require inventing some general config language to describe {set of CIA groups -> IAM role bindings} relations,  and logdog will be the only customer. I'm opposed to this idea unless we have at least two use cases.

I see, thanks for responding. Makes sense.

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Vadim, can you re-triage this bug, please?

I still think it is a valuable feature to have. We learned to manually click buttons when adding new accounts (because stuff doesn't work), but I highly doubt we remove no longer active accounts for PubSub ACL. This should happen automatically.