Google Git
Sign in
dawn / tint / 90eb5aa29253c33861a5bb07403cb96a71cfbce3^! / .
commit90eb5aa29253c33861a5bb07403cb96a71cfbce3[log] [tgz]
authorVadim Shtayura <vadimsh@google.com>Tue Nov 16 15:17:12 2021 +0000
committerTint LUCI CQ <tint-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Nov 16 15:17:12 2021 +0000
tree34cf95ed1554b884de6203edec93218f3df0eed0
parent2fe0f4b42b32ee0c0fac559414885b29c54860e4 [diff]
Declare "role/configs.validator" binding.

It defines who is allowed to call LUCI Config validation API to
validate this LUCI project's configs. This is usually done by
presubmit jobs, and thus configs.validator role is assigned to
try job task accounts.

Previously this ACL was defined in the global "config-validation"
group. It is deprecated and being replaced with per-project ACLs
defined in per-project configs (like in this CL).

There's still a global ACL to allow any googler to call
the validation API in any LUCI project they are allowed to see.
Thus the per-project binding applies only to service accounts
(they are not googlers).

Note: this CL was generated semi-automatically and reviewers are
picked automatically based on OWNERS file.

BUG=chromium:1068817

Change-Id: Iec55d5e4ea7325406a1f3dd1f9fef598ec5ad29a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/69181
Auto-Submit: Vadim Shtayura <vadimsh@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

diff --git a/infra/config/global/generated/project.cfg b/infra/config/global/generated/project.cfg
index f3defcd..cfaeb59 100644
--- a/infra/config/global/generated/project.cfg
+++ b/infra/config/global/generated/project.cfg

@@ -7,7 +7,7 @@
 name: "tint"
 access: "group:all"
 lucicfg {
-  version: "1.29.1"
+  version: "1.30.1"
   package_dir: ".."
   config_dir: "generated"
   entry_point: "main.star"

diff --git a/infra/config/global/generated/realms.cfg b/infra/config/global/generated/realms.cfg
index de88dd2..4f4827d 100644
--- a/infra/config/global/generated/realms.cfg
+++ b/infra/config/global/generated/realms.cfg

@@ -15,6 +15,10 @@
     principals: "group:all"
   }
   bindings {
+    role: "role/configs.validator"
+    principals: "user:tint-try-builder@chops-service-accounts.iam.gserviceaccount.com"
+  }
+  bindings {
     role: "role/logdog.reader"
     principals: "group:all"
   }

diff --git a/infra/config/global/main.star b/infra/config/global/main.star
index 263c278..ddf3bdc 100755
--- a/infra/config/global/main.star
+++ b/infra/config/global/main.star

@@ -48,6 +48,12 @@
             groups = "luci-logdog-chromium-writers",
         ),
     ],
+    bindings = [
+        luci.binding(
+            roles = "role/configs.validator",
+            users = "tint-try-builder@chops-service-accounts.iam.gserviceaccount.com",
+        ),
+    ],
 )
 
 luci.logdog(gs_bucket = "chromium-luci-logdog")