New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 844113 link

Starred by 2 users
Status: WontFix
Owner:
pprabhu@chromium.org
Closed: Aug 17
Cc:
bpastene@chromium.org
no...@chromium.org
vadimsh@chromium.org
cra...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Get chromeos-infra-test team administrative access to chrome-swarming

Project Member Reported by pprabhu@chromium.org, May 17 2018 
Chrome Skylab bots are hosted on chrome-swarming instance: http://shortn/_gSYOqxvR3A

I currently have ad-hoc access to the various bits needed to administer these bots. This bug tracks getting access for the rest of the team in a more principled manner.

Things I can think of right now:

[1] View access to the infradata repository, to update skylab bot information: https://chrome-internal.googlesource.com/infradata/config
[2] Commit access to the infradata repository, to update skylab bot information: https://chrome-internal.googlesource.com/infradata/config
[3] View access to luci-config to know what config bots are running at: https://luci-config.appspot.com/#/services/chrome-swarming 
[4] Push-button access to luci-config / process for getting new configs deployed to the chrome-swarming instance in an emergency: https://luci-config.appspot.com/#/services/chrome-swarming

Comment 1 by pprabhu@chromium.org, May 17 2018

Cc: cra...@chromium.org bpastene@chromium.org
+craigb, from cros-test-infra team: To help test access setup as we go.
+bpastene: to advise on who we should be talking to for streamlining permissions here.

Comment 2 by bpastene@chromium.org, May 17 2018

Cc: vadimsh@chromium.org no...@chromium.org
+ Nodir & Vadim to correct me where I'm wrong.

[1] Should be available to all googlers. Granting read-access to groups broader than that would probably be problematic.
[2] Should be controlled via the CIA group: https://chrome-infra-auth.appspot.com/auth/groups/project-infra-internal-committers. I think we've traditionally gated access to that group via a nomination process sent to chrome-infra@, but that seems a bit much for the configs of a single swarming server. We may want to make that more granular like we did for master-manager's config repo (which has its own group).
[3] This might be https://chrome-infra-auth.appspot.com/auth/groups/config-get-by-hash, but I'm not sure how that ties into the UI.
[4] This is https://chrome-infra-auth.appspot.com/auth/groups/config-admins, of which you're a direct member. That applies to all projects, which is unfortunate. Again we may want to make that more granular at the service-level.

Comment 3 by no...@chromium.org, May 25 2018 

[2] why do you need submit permissions in infradata/config, as opposed to upload CL permission? we can review stuff.

[3] is https://chrome-internal.googlesource.com/infradata/config/+/d45fd5e/configs/luci-config/services.cfg#220

Comment 4 by pprabhu@chromium.org, Aug 17

Status: WontFix (was: Assigned)
I understand the permissions better here, and I agree with #3 that we don't need these premissions given the short roundtrip time I've seen so far with chops / trooper for reviews.

Sign in to add a comment