+sullivan, benjhayden, nednguyen: I'm not sure what the policy is for permissions on the perf dashboard or perf waterfall. Are the perf waterfall results on perf dashboard public or internal?

Pinpoint jobs are restricted to members of chromeperf-access, which is currently Google-internal, since the perf builds and test logs have internal code in them.

JFYI, external contributors have been able to run pinpoint try jobs without troubles in the past.
I don't know when this started to change though, my last one that worked was in August.
Also I don't know it it was only available to committers, as I've been a committer for a long time.

In any case a I hope you don't set a policy preventing external contributors to access this, otherwise we are not going to be very helpful in performance related issues.

My understanding about the reasons for perf being internal-only:

1) The build logs need to be private, as they could leak information about callstacks in partner code we do not have permission to redistribute. I'm not sure if the links to the build logs would work correctly on pinpoint for external contributors?

2) In the (distant) past we occasionally had unreleased Google hardware on the perf waterfall, and did not want to leak details about the hardware or its performance. It's been many years since this was true, and i've heard of no current plans to do perf testing on unreleased devices. So I don't think this should be an issue.

The policy on the perf dashboard is that all data from the chromium.perf waterfall should be public, but sometimes data is marked internal-only by mistake.

Adding Dirk and Jason who may have some more historical context. My main question is, is it okay for pinpoint to be available to external users as long as 1) and 2) are not leaked? If we are worried about abuse, we could limit to the same set of people who have tryjob access.

As long as we're doing official builds, the logs from those builds and tests can't be public. I don't think there's an issue with simply making the results public, though. We might have to walk through the UI and see which things are okay and which aren't.

We likely want a way to run completely internal jobs, and it would be fine to have completely public jobs if they were based on completely public builds.

I'm not worried about abuse per se; as you say, tryjob access is a sufficient gate.

I agree with Dirk. I'd also say there are also examples of devices that can't be public still too. Public is fine, still have to be sensitive around Private.

But for pinpoint jobs, do they have to be official builds?

I will change Pinpoint to allow users with tryjob access to kick off jobs.

Comment 6: yes, because the internal code affects the performance of the binaries.

dtu: Just checking -- has this been enabled for non-Google users with tryjob access yet?

+1, it would be really helpful to be able to use pinpoint with a @chromium.org account.

The following revision refers to this bug:
  https://chromium.googlesource.com/catapult/+/5d5091665700495b0d212cc504fd48530565eecf

commit 5d5091665700495b0d212cc504fd48530565eecf
Author: Dave Tu <dtu@chromium.org>
Date: Thu Nov 08 19:59:55 2018

[pinpoint] Let users with tryjob access launch Pinpoint jobs.

Refactor api_request_handler to make it more flexible in the types of
authentication it can do. Instead of _AllowAnonymous(), it has an
overridable method _CheckUser() that checks the user's credentials.
This way, we can override it to accept tryjob users.

Replace PrivilegedPost() and UnprivilegedPost() with just Post().
There were no API handlers that treated privileged and unprivileged
users differently. They only needed to be overridden to do access
control.

Previously there were three tiers of access control:

* Override PrivilegedPost().
* This is now `def _CheckUser(self): self._CheckIsInternalUser()`

* Override UnprivilegedPost() and PrivilegedPost().
* This is now `def _CheckUser(self): self._CheckIsLoggedIn()`

* Override UnprivilegedPost(), PrivilegedPost(), and _AllowAnonymous().
* This is now the default behavior, allowing all users.

Bug:  chromium:895738 
Change-Id: I35a2d9116bd98170ea17caeba9f8756b9304ceb1
Reviewed-on: https://chromium-review.googlesource.com/c/1319249
Reviewed-by: Juan Antonio Navarro Pérez <perezju@chromium.org>
Commit-Queue: Dave Tu <dtu@chromium.org>

[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/timeseries2.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/test_suites.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/timeseries.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/pinpoint/handlers/new_test.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/bugs_test.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/report_names.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/report_template.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/describe.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/list_timeseries.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/pinpoint/handlers/isolate_test.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/api_request_handler.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/common/utils.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/add_histograms.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/api_request_handler_test.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/alerts.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/bugs.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/pinpoint/handlers/new.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/pinpoint/handlers/isolate.py
[modify] https://crrev.com/5d5091665700495b0d212cc504fd48530565eecf/dashboard/dashboard/api/report_generate.py

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/04baa857df8e2142aa06d5414656df7056feb52b

commit 04baa857df8e2142aa06d5414656df7056feb52b
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Nov 08 21:44:07 2018

Roll src/third_party/catapult f04a3a61ad90..5d5091665700 (1 commits)

https://chromium.googlesource.com/catapult.git/+log/f04a3a61ad90..5d5091665700


git log f04a3a61ad90..5d5091665700 --date=short --no-merges --format='%ad %ae %s'
2018-11-08 dtu@chromium.org [pinpoint] Let users with tryjob access launch Pinpoint jobs.


Created with:
  gclient setdep -r src/third_party/catapult@5d5091665700

The AutoRoll server is located here: https://autoroll.skia.org/r/catapult-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:895738 
TBR=sullivan@chromium.org

Change-Id: Ie7de7636281943d07faae602d9e54132a5cce7dc
Reviewed-on: https://chromium-review.googlesource.com/c/1327601
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#606609}
[modify] https://crrev.com/04baa857df8e2142aa06d5414656df7056feb52b/DEPS

Fixed! All users with tryjob access should be able to kick off jobs. Please reopen if you experience otherwise.

Yes this is working, thank you very much!

Awesome! Thanks a lot!