Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/build/cmd/relui: implement ACLs #68114

Closed
rolandshoemaker opened this issue Jun 21, 2024 · 4 comments
Closed

x/build/cmd/relui: implement ACLs #68114

rolandshoemaker opened this issue Jun 21, 2024 · 4 comments
Assignees
@rolandshoemaker
Labels
Builders x/build issues (builders, bots, dashboards) NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

(internally go/relui-acls)

relui has a flat permissions model, allowing anyone on the IAP access list to create, delete, approve, schedule, etc any workflow they like. As more manual work is being transitioned into relui workflows across teams, the sensitivity of workflows is becoming more diverse.

We plan implement the ability to require group membership in order to interact with specific workflows. This will use the CrIA Chrome service to query membership in internal Google groups.
@rolandshoemaker rolandshoemaker self-assigned this Jun 21, 2024
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Jun 21, 2024
@gopherbot gopherbot added this to the Unreleased milestone Jun 21, 2024
@dmitshur dmitshur moved this to In Progress in Go Release Jun 21, 2024
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 21, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/593895 mentions this issue: internal/criadb: new package

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/593915 mentions this issue: internal/relui: require group membership for workflows

gopherbot pushed a commit to golang/build that referenced this issue Aug 16, 2024
@rolandshoemaker @gopherbot
internal/criadb: new package
784e6b3 
Implement CrIA auth database replication. This fetches the database
containing group memberships from a cloud storage bucket and then
updates it every 30 seconds with +/- 10 seconds of jitter. This
duplicates the logic that is used in the LUCI server implementation and
is the solution recommended by their team.

For golang/go#68114

Change-Id: I6f120aa6180822854049e5d9b4d370cd0faa8633
Reviewed-on: https://go-review.googlesource.com/c/build/+/593895
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
@github-project-automation github-project-automation bot moved this from In Progress to Done in Go Release Aug 16, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607795 mentions this issue: internal/relui/groups: update release team group

gopherbot pushed a commit to golang/build that referenced this issue Aug 22, 2024
@dmitshur @gopherbot
internal/relui/groups: update release team group
Loading
Loading status checks…
1cd7776 
We use our policy group for Go release workflows.

For golang/go#68114.

Change-Id: I2cb31682c1072e0b2f2908d05054831ca6987bd0
Reviewed-on: https://go-review.googlesource.com/c/build/+/607795
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/624076 mentions this issue: internal/relui: serve 404 when workflow doesn't exist, fix DB tests

gopherbot pushed a commit to golang/build that referenced this issue Nov 4, 2024
@dmitshur @gopherbot
internal/relui: serve 404 when workflow doesn't exist, fix DB tests
Loading
Loading status checks…
369b103 
Relui is expected to serve 404 when a workflow that doesn't exist is
requested. Its tests, ones that run only when a database is available,
also expect that. Update a few places after CL 593915 accordingly to
serve 404 instead of 500, and update TestServerStopWorkflow to create
a workflow in the DB, since stopWorkflowHandler now fetches it as part
of checking ACLs.

For golang/go#68114.

Change-Id: I90f12a431b1f97d8be33d6404eb7e2064e50f688
Reviewed-on: https://go-review.googlesource.com/c/build/+/624076
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rolandshoemaker rolandshoemaker

Labels
Builders x/build issues (builders, bots, dashboards) NeedsFix The path to resolution is known, but the work has not been done.
Projects
Go Release
Archived in project
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@dmitshur @rolandshoemaker @gopherbot