New issue
Advanced search Search tips

Issue 897368 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

builder doesn't have create access to chromeos-releases-test. Can we add it?

Project Member Reported by ahass...@chromium.org, Oct 19

Issue description

I'm try to see if I can redirect the paygen to use chromeos-releases-test for dumping payloads but initial work shows that bots don't have create access in chromeos-releases-test?

https://luci-logdog.appspot.com/logs/chromeos/buildbucket/cr-buildbucket.appspot.com/8932199390955567136/+/steps/PaygenBuildCanary/0/stdout

AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.create access to chromeos-releases-test/canary-channel/edgar/11163.0.0/payloads/LOCK_flag

Is it an actual access problem (in this case can we add one?) or I'm missing something else?


 
Owner: dgarr...@chromium.org
Status: Assigned (was: Untriaged)
granting bots write access to the bucket sounds fine to me.  i assume Don knows off the top of his head how to pull this off :).
I should, and I agree that it's totally reasonable.

An unrelated thought....

Right now, we have <board>-payloads and it expects to operate on production data, without users having to set --production.

More correctly, we should have the payloads configs require --production, and generate the "<board>-payloads-tryjob" configs that don't, and which are identical other than setting the "debug" option.

If you change things to go to the new bucket based on --debug, that will fit in well with how our other tryjobs work, and -payloads can stop being special cased as much.
Also..... Object Create permissions added for chromeos.bot@gmail.com.
for clarity, the signers reject sign requests on that bucket that aren't using test keys. so we might want to have the tryjob build override the key set to dev keys.
re #3, sorry, hope not spamming too much, but can we add Delete permission too? it needs to acquire a lock and delete it afterwards. This applies to removing the hash files too.

On the same note, is there any other permission that we may need to grant? Create and Delete is the least I can think of.
Oh... I thought it had delete permission.

I'm using the new IAM roles, which are Viewer / Creator / Admin.

I granted Creator.
i've turned on versioning for the bucket

Don: can you set the lifecycle to 1 year or something ?  i've never done that before myself ...
Re#5: Are you getting errors deleting from the bucket, or just trying to make sure is has deletion permissions? I think the account should have deletion already.

Re#7 Sure. 6 months is the usual period.
dgarrett$cat lifecycle.json
{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 180}}]}

dgarrett$gsutil lifecycle set ./lifecycle.json  gs://chromeos-releases-test/
Setting lifecycle configuration on gs://chromeos-releases-test/...

13:57:19: INFO: * Finished payload generation in 0:11:32.922041
13:57:25: ERROR: Failed: Build definition (board=u'edgar', version='11164.0.0', channel='canary-channel')
13:57:25: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
13:57:25: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
13:58:25: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
13:58:27: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
14:00:27: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
14:00:28: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
14:03:28: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
14:03:29: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 

14:03:29: ERROR: Traceback (most recent call last):
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/cbuildbot/stages/generic_stages.py", line 702, in Run
    self.PerformStage()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/cbuildbot/stages/release_stages.py", line 466, in PerformStage
    testdata = paygen.CreatePayloads()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/paygen/paygen_build_lib.py", line 934, in CreatePayloads
    self._CleanupBuild()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/paygen/paygen_build_lib.py", line 854, in _CleanupBuild
    recursive=True, ignore_missing=True)
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/gs.py", line 1208, in Remove
    self.DoCommand(cmd, **kwargs)
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/gs.py", line 919, in DoCommand
    raise GSCommandError(e.msg, e.result, e.exception)
GSCommandError: return code: 1; command: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
Okay, hopefully fixed.
Yeah, It can delete now. More updates coming!! :)
Labels: -Type-Bug Type-Feature
Status: Fixed (was: Assigned)
I believe this is now fixed. Please reopen if there is something else needed here.

Sign in to add a comment