[realms][tint] configure but do not use realms.
Also:
* remove redundant luci-scheduler permission.
* make ./main.star executable on mac/linux.
R=rharrison
Bug: chromium:1216166
Change-Id: Iae6d915d5327218c4c1f80db273be347cf855765
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57424
Auto-Submit: Andrii Shyshkalov <tandrii@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
diff --git a/infra/config/global/generated/cr-buildbucket.cfg b/infra/config/global/generated/cr-buildbucket.cfg
index 443ac98..f55becc 100644
--- a/infra/config/global/generated/cr-buildbucket.cfg
+++ b/infra/config/global/generated/cr-buildbucket.cfg
@@ -9,10 +9,6 @@
acls {
group: "all"
}
- acls {
- role: SCHEDULER
- identity: "user:luci-scheduler@appspot.gserviceaccount.com"
- }
swarming {
builders {
name: "linux-clang-dbg-x64"
@@ -30,6 +26,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-dbg-x86"
@@ -47,6 +47,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x64"
@@ -64,6 +68,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x86"
@@ -81,6 +89,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-dbg"
@@ -103,6 +115,10 @@
path: "osx_sdk"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-rel"
@@ -125,6 +141,10 @@
path: "osx_sdk"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x64"
@@ -146,6 +166,10 @@
path: "win_toolchain"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x86"
@@ -167,6 +191,10 @@
path: "win_toolchain"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x64"
@@ -188,6 +216,10 @@
path: "win_toolchain"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x86"
@@ -209,6 +241,10 @@
path: "win_toolchain"
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-dbg-x64"
@@ -225,6 +261,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-rel-x64"
@@ -241,6 +281,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
}
}
@@ -275,6 +319,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-dbg-x86"
@@ -293,6 +341,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x64"
@@ -311,6 +363,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x86"
@@ -329,6 +385,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-dbg"
@@ -352,6 +412,10 @@
path: "osx_sdk"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-rel"
@@ -375,6 +439,10 @@
path: "osx_sdk"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "presubmit"
@@ -391,6 +459,10 @@
properties_j: "runhooks:true"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x64"
@@ -413,6 +485,10 @@
path: "win_toolchain"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x86"
@@ -435,6 +511,10 @@
path: "win_toolchain"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x64"
@@ -457,6 +537,10 @@
path: "win_toolchain"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x86"
@@ -479,6 +563,10 @@
path: "win_toolchain"
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-dbg-x64"
@@ -496,6 +584,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-rel-x64"
@@ -513,6 +605,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
}
}
diff --git a/infra/config/global/generated/luci-scheduler.cfg b/infra/config/global/generated/luci-scheduler.cfg
index 6735c7a..b58acab 100644
--- a/infra/config/global/generated/luci-scheduler.cfg
+++ b/infra/config/global/generated/luci-scheduler.cfg
@@ -6,6 +6,7 @@
job {
id: "linux-clang-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -15,6 +16,7 @@
}
job {
id: "linux-clang-dbg-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -24,6 +26,7 @@
}
job {
id: "linux-clang-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -33,6 +36,7 @@
}
job {
id: "linux-clang-rel-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -42,6 +46,7 @@
}
job {
id: "mac-dbg"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -51,6 +56,7 @@
}
job {
id: "mac-rel"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -60,6 +66,7 @@
}
job {
id: "win-clang-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -69,6 +76,7 @@
}
job {
id: "win-clang-dbg-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -78,6 +86,7 @@
}
job {
id: "win-clang-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -87,6 +96,7 @@
}
job {
id: "win-clang-rel-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -96,6 +106,7 @@
}
job {
id: "win-msvc-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -105,6 +116,7 @@
}
job {
id: "win-msvc-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -114,6 +126,7 @@
}
trigger {
id: "primary-poller"
+ realm: "ci"
acl_sets: "ci"
triggers: "linux-clang-dbg-x64"
triggers: "linux-clang-dbg-x86"
diff --git a/infra/config/global/generated/realms.cfg b/infra/config/global/generated/realms.cfg
new file mode 100644
index 0000000..de88dd2
--- /dev/null
+++ b/infra/config/global/generated/realms.cfg
@@ -0,0 +1,56 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+# https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+ name: "@root"
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/configs.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.writer"
+ principals: "group:luci-logdog-chromium-writers"
+ }
+ bindings {
+ role: "role/scheduler.owner"
+ principals: "group:project-tint-admins"
+ }
+ bindings {
+ role: "role/scheduler.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "ci"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:tint-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "try"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "group:project-tint-tryjob-access"
+ principals: "group:service-account-cq"
+ }
+}
diff --git a/infra/config/global/main.star b/infra/config/global/main.star
old mode 100644
new mode 100755
index 2fb6170..e684771
--- a/infra/config/global/main.star
+++ b/infra/config/global/main.star
@@ -8,6 +8,11 @@
main.star: lucicfg configuration for Tint's standalone builers.
"""
+# Enable realms experiment.
+lucicfg.enable_experiment("crbug.com/1085650")
+# TODO(https://crbug.com/1216166): ramp up to 100%.
+luci.builder.defaults.experiments.set({"luci.use_realms": 0})
+
lucicfg.config(fail_on_warnings = True)
luci.project(
@@ -56,9 +61,6 @@
),
acl.entry(
acl.BUILDBUCKET_TRIGGERER,
- users = [
- "luci-scheduler@appspot.gserviceaccount.com",
- ],
),
],
)
