From b841549b14e777de58c7020ffac7a54926180e7b Mon Sep 17 00:00:00 2001 From: Vadim Shtayura Date: Thu, 11 Nov 2021 17:10:19 -0800 Subject: [PATCH] Declare "role/configs.validator" binding. It defines who is allowed to call LUCI Config validation API to validate this LUCI project's configs. This is usually done by presubmit jobs, and thus configs.validator role is assigned to try job task accounts. Previously this ACL was defined in the global "config-validation" group. It is deprecated and being replaced with per-project ACLs defined in per-project configs (like in this CL). There's still a global ACL to allow any googler to call the validation API in any LUCI project they are allowed to see. Thus the per-project binding applies only to service accounts (they are not googlers). Note: this CL was generated semi-automatically and reviewers are picked automatically based on OWNERS file. BUG=chromium:1068817 R=fbarchard@chromium.org Change-Id: I26544e524cf5e900ab395ff5c440c10438723903 Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/3276689 Reviewed-by: Frank Barchard Commit-Queue: Vadim Shtayura --- main.star | 6 ++++++ realms.cfg | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/main.star b/main.star index 54c9562ed..d4cec7fe5 100755 --- a/main.star +++ b/main.star @@ -64,6 +64,12 @@ luci.project( acl.entry(acl.BUILDBUCKET_READER, groups = ["all"]), acl.entry(acl.BUILDBUCKET_OWNER, groups = ["project-libyuv-admins"]), ], + bindings = [ + luci.binding( + roles = "role/configs.validator", + users = "libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com", + ), + ], ) # Generates luci-logdog.cfg diff --git a/realms.cfg b/realms.cfg index 93969f5a4..7360b512c 100644 --- a/realms.cfg +++ b/realms.cfg @@ -18,6 +18,10 @@ realms { role: "role/configs.reader" principals: "group:all" } + bindings { + role: "role/configs.validator" + principals: "user:libyuv-try-builder@chops-service-accounts.iam.gserviceaccount.com" + } bindings { role: "role/logdog.reader" principals: "group:all"