Can't start try jobs on master internal.client.v8 |
||||
Issue descriptionI'm trying to use V8's try_perf script (https://cs.chromium.org/chromium/src/v8/tools/try_perf.py), but I'm getting the following error when I try to run it with an internal-only benchmark: ERROR: Access denied: User user:adamk@google.com cannot add builds to bucket master.internal.client.v8 The git cl try commandline try_perf.py is using includes "-m internal.client.v8". What do I need to do to authorize myself?
,
May 8 2017
This is configured to allow all googlers signed into their @chromium.org account, can you try that? Source: https://chrome-infra-auth.appspot.com/auth/groups/project-v8-internal-tryjob-access
,
May 8 2017
Re #1, sorry, don't know what's a bug and what's not. Let me know if there's a better way to start off such a request in future. Re #2, how do I sign into my @chromium.org account?
,
May 8 2017
Try: depot-tools-auth login codereview.chromium.org
,
May 8 2017
Nope, that doesn't help, neither when I login to my chromium.org nor google.com account. If it's relevant I'm running this command from a branch with an associated PolyGerrit issue.
,
May 8 2017
Oh gerrit, in that case try this: depot-tools-auth login chromium-reviews.googlesource.com
,
May 8 2017
Nope, same error (and again, I tried with both google.com and chromium.org accounts).
,
May 9 2017
That's odd. +agable/nodir@ - adamk@ is trying to launch a job on a bucket auth'ed to a project-v8-internal-tryjob-access group, which contains the google/googlers@chromium.org subgroup. He's tried logging into rietveld/gerrit with both his google.com/chromium.org accounts. Any idea why it wouldn't be working?
,
May 9 2017
Verified that https://chrome-infra-auth.appspot.com/auth/groups/google/googlers@chromium.org includes adamk@chromium.org. Could you point to the CL for which you tried? Is it authored and uploaded by adamk@chromium.org?
,
May 9 2017
He's running "git cl try", which means he's posting jobs to buildbucket. Authentication to rietveld/gerrit is irrelevant in this case. (And depot-tools-auth login <gerrit host>-review.googlesource.com has never done anything, as far as I know, since we use .gitcookies for that, not depot-tools-auth.) I'm not sure what auth mechanism we use when talking to buildbucket. Does it piggyback off of the tokens created by depot-tools-auth? +nodir for that.
,
May 9 2017
For reference, https://chromium-review.googlesource.com/c/498538/ is a change I've been trying to send to these try bots.
,
May 9 2017
deleted my comment 12, it was not useful or correct buildbucket logs indicate that all requests came from adamk@google.com, not adamk@chromium.org. This is a change from Rietveld to Gerrit. On codereview.chromium.org, everyone, including googlers, are authenticated with @chromium.org accounts. IIUC on Gerrit, googlers have a linked account and the @google.com is the primary one, thus buildbucket requests are always authenticated with @google.com account. This is why it stopped working. adamk@google.com was NOT in the https://chrome-infra-auth.appspot.com/auth/groups/project-v8-internal-tryjob-access. The group contained Members: user:heimbuef@google.com user:klaasb@google.com 446450136466-6e5lopuibvkord5v341iu13lmnq5t8f7@developer.gserviceaccount.com Subgroups: google/googlers@chromium.org user:heimbuef@google.com was added by tandrii. I assume heimbuef@ asked tandrii@ for help and tandrii@ did. klaasb@ was added by machenbach@ The inclusion of google/googlers@chromium.org seems to indicate that the intention was to allow googlers to schedule builds using their @chromium.org accounts. Thus, I've modified project-v8-internal-tryjob-access group to have Members: 446450136466-6e5lopuibvkord5v341iu13lmnq5t8f7@developer.gserviceaccount.com Subgroups: googlers machenbach@, I consider you the owner of the group. Please verify my changes. adamk@, please try again.
,
May 9 2017
Indeed, I can now access this. Thanks! I'll let machenbach respond to the broader questions, but I think I have a bit of context to explain the state of the world: heimbuef and klaasb were both interns, so they had no chromium.org account. That's presumably why they are (were) members of the group. I know some V8 Googlers have un-linked their google.com accounts from the chromium.org accounts, so they log in to Gerrit with their Chromium account (and thus this always worked for them).
,
May 10 2017
Thanks, I think adding subgroup googlers is reasonable for gerrit now. I also added back google/googlers@chromium.org to not break rietveld or people who unlinked their accounts. The google accounts that existed in the list were interns who have no chromium.org account and who author CLs with their google accounts. I'm a bit confused why it worked for me though in https://chromium-review.googlesource.com/c/498292 - I authored this with chromium.org account in gerrit and my accounts are linked. I had no problems starting those tryjobs... The jobs are triggered before you made your changes...
,
May 10 2017
group "googlers" includes group "google/googlers@chromium.org", so I am not sure "google/googlers@chromium.org" is needed. The builds for patchset 1 in https://chromium-review.googlesource.com/c/498292 were created by machenbach@chromium.org, which is a member "google/googlers@chromium.org". This is why it worked before my changes. I guess the main question is why @chromium.org account was used, as opposed to @google.com. That I don't know.
,
May 10 2017
Right, then it's obviously not needed. removed the group again. The second thing: Yes that's the question. Maybe rather for agable or tandrii.
,
May 10 2017
When 2 emails in Gerrit are linked, either of emails can be the primary. Most people Git admins helped have chromium.org as primary. But if person linked their account themselves, google.com can be set primary. |
||||
►
Sign in to add a comment |
||||
Comment 1 by katthomas@google.com
, May 8 2017Components: -Infra
Labels: Infra-Troopers
Status: Available (was: Untriaged)