[realms][dawn] configure but not use realms.
Also:
* remove redundant luci-scheduler permission.
* make ./main.star executable on mac/linux.
R=rharrison
Bug: chromium:1216166
Change-Id: Icd5e1612f7d201b640eeafa7217342b97e0fe5aa
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/57464
Auto-Submit: Andrii Shyshkalov <tandrii@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
diff --git a/infra/config/global/generated/cr-buildbucket.cfg b/infra/config/global/generated/cr-buildbucket.cfg
index 318035c..a21f1e2 100644
--- a/infra/config/global/generated/cr-buildbucket.cfg
+++ b/infra/config/global/generated/cr-buildbucket.cfg
@@ -9,10 +9,6 @@
acls {
group: "all"
}
- acls {
- role: SCHEDULER
- identity: "user:luci-scheduler@appspot.gserviceaccount.com"
- }
swarming {
builders {
name: "cron-linux-clang-rel-x64"
@@ -31,6 +27,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-dbg-x64"
@@ -48,6 +48,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-dbg-x86"
@@ -65,6 +69,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x64"
@@ -82,6 +90,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x86"
@@ -99,6 +111,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-dbg"
@@ -120,6 +136,10 @@
path: "osx_sdk"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-rel"
@@ -141,6 +161,10 @@
path: "osx_sdk"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x64"
@@ -162,6 +186,10 @@
path: "win_toolchain"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x86"
@@ -183,6 +211,10 @@
path: "win_toolchain"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x64"
@@ -204,6 +236,10 @@
path: "win_toolchain"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x86"
@@ -225,6 +261,10 @@
path: "win_toolchain"
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-dbg-x64"
@@ -241,6 +281,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-rel-x64"
@@ -257,6 +301,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
}
}
@@ -291,6 +339,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-dbg-x86"
@@ -309,6 +361,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x64"
@@ -327,6 +383,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-clang-rel-x86"
@@ -345,6 +405,10 @@
properties_j: "target_cpu:\"x86\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-dbg"
@@ -367,6 +431,10 @@
path: "osx_sdk"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "mac-rel"
@@ -389,6 +457,10 @@
path: "osx_sdk"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "presubmit"
@@ -405,6 +477,10 @@
properties_j: "runhooks:true"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x64"
@@ -427,6 +503,10 @@
path: "win_toolchain"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-dbg-x86"
@@ -449,6 +529,10 @@
path: "win_toolchain"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x64"
@@ -471,6 +555,10 @@
path: "win_toolchain"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-clang-rel-x86"
@@ -493,6 +581,10 @@
path: "win_toolchain"
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-dbg-x64"
@@ -510,6 +602,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "win-msvc-rel-x64"
@@ -527,6 +623,10 @@
properties_j: "target_cpu:\"x64\""
}
service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
}
}
diff --git a/infra/config/global/generated/luci-scheduler.cfg b/infra/config/global/generated/luci-scheduler.cfg
index 31a920b..64d14db 100644
--- a/infra/config/global/generated/luci-scheduler.cfg
+++ b/infra/config/global/generated/luci-scheduler.cfg
@@ -6,6 +6,7 @@
job {
id: "cron-linux-clang-rel-x64"
+ realm: "ci"
schedule: "0 0 0 * * * *"
acl_sets: "ci"
buildbucket {
@@ -16,6 +17,7 @@
}
job {
id: "linux-clang-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -25,6 +27,7 @@
}
job {
id: "linux-clang-dbg-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -34,6 +37,7 @@
}
job {
id: "linux-clang-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -43,6 +47,7 @@
}
job {
id: "linux-clang-rel-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -52,6 +57,7 @@
}
job {
id: "mac-dbg"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -61,6 +67,7 @@
}
job {
id: "mac-rel"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -70,6 +77,7 @@
}
job {
id: "win-clang-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -79,6 +87,7 @@
}
job {
id: "win-clang-dbg-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -88,6 +97,7 @@
}
job {
id: "win-clang-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -97,6 +107,7 @@
}
job {
id: "win-clang-rel-x86"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -106,6 +117,7 @@
}
job {
id: "win-msvc-dbg-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -115,6 +127,7 @@
}
job {
id: "win-msvc-rel-x64"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -124,6 +137,7 @@
}
trigger {
id: "primary-poller"
+ realm: "ci"
acl_sets: "ci"
triggers: "linux-clang-dbg-x64"
triggers: "linux-clang-dbg-x86"
diff --git a/infra/config/global/generated/realms.cfg b/infra/config/global/generated/realms.cfg
new file mode 100644
index 0000000..30db5dd
--- /dev/null
+++ b/infra/config/global/generated/realms.cfg
@@ -0,0 +1,56 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+# https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+ name: "@root"
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/configs.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.writer"
+ principals: "group:luci-logdog-chromium-writers"
+ }
+ bindings {
+ role: "role/scheduler.owner"
+ principals: "group:project-dawn-admins"
+ }
+ bindings {
+ role: "role/scheduler.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "ci"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+}
+realms {
+ name: "try"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "group:project-dawn-tryjob-access"
+ principals: "group:service-account-cq"
+ }
+}
diff --git a/infra/config/global/main.star b/infra/config/global/main.star
old mode 100644
new mode 100755
index 52bf63a..bef2333
--- a/infra/config/global/main.star
+++ b/infra/config/global/main.star
@@ -8,6 +8,11 @@
main.star: lucicfg configuration for Dawn's standalone builers.
"""
+# Enable realms experiment.
+lucicfg.enable_experiment("crbug.com/1085650")
+# TODO(https://crbug.com/1216166): ramp up to 100%.
+luci.builder.defaults.experiments.set({"luci.use_realms": 0})
+
lucicfg.config(fail_on_warnings = True)
luci.project(
@@ -56,9 +61,6 @@
),
acl.entry(
acl.BUILDBUCKET_TRIGGERER,
- users = [
- "luci-scheduler@appspot.gserviceaccount.com",
- ],
),
],
)
