New issue
Advanced search Search tips

Issue 759852 link

Starred by 2 users
Status: Assigned
Owner:
s...@google.com
Cc:
vadimsh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Feature



Sign in to add a comment

Access to Machine Provider UI should be permitted to non-admins

Project Member Reported by phosek@chromium.org, Aug 28 2017 
Access to Machine Provider UI is currently protected by auth.is_admin (https://chromium.googlesource.com/infra/luci/luci-py/+/master/appengine/machine_provider/handlers_frontend.py#27), which is mdb/chrome-troopers on prod. That means nobody from Fuchsia can access the UI to see the machine catalog or lease requests, which is really needed once we migrate to MP. Ideally, the UI access should be governed by auth service so granting access to the UI doesn't require adding Fuchsia developers to mdb/chrome-troopers.

Comment 1 by no...@chromium.org, Aug 29 2017

Labels: -Restrict-View-Google Pri-2 Type-Feature
the UI IS governed by auth service. Requiring less privileges sounds reasonable.

Comment 2 by no...@chromium.org, Aug 29 2017

Status: Available (was: Untriaged)
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 29

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by estaab@chromium.org, Aug 30

Owner: s...@google.com
Status: Assigned (was: Untriaged)
This sounds like a useful feature request.

Comment 5 by s...@google.com, Aug 30

Cc: -smut@chromium.org

Comment 6 by s...@google.com, Aug 30

Summary: Access to Machine Provider UI should be permitted to non-admins (was: Access to Machine Provider UI should be governed by auth service)
The UI isn't very useful, which is why I haven't granted access to anyone that isn't in the administrators group on chrome-infra-auth.
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/infra/luci/luci-py.git/+/c7e126890e1c3da72fc0ae49a379945137129d3d

commit c7e126890e1c3da72fc0ae49a379945137129d3d
Author: smut <smut@google.com>
Date: Thu Aug 30 22:51:40 2018

[Machine Provider] Create dedicated catalog viewer group

Also made minor UI changes:
Disabled suggestion to login in favor of installing a login redirect.
Updated LUCI URLs from github.com to chromium.googlesource.com.

Bug: 759852
Change-Id: Ifc449b87f254baedda46cf213a336b1bf45afa0c
Reviewed-on: https://chromium-review.googlesource.com/1197746
Commit-Queue: smut <smut@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@chromium.org>

[modify] https://crrev.com/c7e126890e1c3da72fc0ae49a379945137129d3d/appengine/machine_provider/acl.py
[modify] https://crrev.com/c7e126890e1c3da72fc0ae49a379945137129d3d/appengine/machine_provider/handlers_frontend.py
[modify] https://crrev.com/c7e126890e1c3da72fc0ae49a379945137129d3d/appengine/machine_provider/templates/root.html

Sign in to add a comment