Declare "role/configs.validator" binding.

It defines who is allowed to call LUCI Config validation API to
validate this LUCI project's configs. This is usually done by
presubmit jobs, and thus configs.validator role is assigned to
try job task accounts.

Previously this ACL was defined in the global "config-validation"
group. It is deprecated and being replaced with per-project ACLs
defined in per-project configs (like in this CL).

There's still a global ACL to allow any googler to call
the validation API in any LUCI project they are allowed to see.
Thus the per-project binding applies only to service accounts
(they are not googlers).

Note: this CL was generated semi-automatically and reviewers are
picked automatically based on OWNERS file.

BUG=chromium:1068817

Change-Id: I57dec27982676553e40ad5dbae2b4642bb3bc935
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/69180
Auto-Submit: Vadim Shtayura <vadimsh@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
This commit is contained in:
Vadim Shtayura 2021-11-13 17:53:14 +00:00 committed by Dawn LUCI CQ
parent 0c2f5fbbbc
commit 12e51f6efa
3 changed files with 11 additions and 1 deletions

View File

@ -7,7 +7,7 @@
name: "dawn"
access: "group:all"
lucicfg {
version: "1.29.1"
version: "1.30.1"
package_dir: ".."
config_dir: "generated"
entry_point: "main.star"

View File

@ -14,6 +14,10 @@ realms {
role: "role/configs.reader"
principals: "group:all"
}
bindings {
role: "role/configs.validator"
principals: "user:dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com"
}
bindings {
role: "role/logdog.reader"
principals: "group:all"

View File

@ -48,6 +48,12 @@ luci.project(
groups = "luci-logdog-chromium-writers",
),
],
bindings = [
luci.binding(
roles = "role/configs.validator",
users = "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com",
),
],
)
luci.logdog(gs_bucket = "chromium-luci-logdog")