diff --git a/infra/config/global/generated/cr-buildbucket.cfg b/infra/config/global/generated/cr-buildbucket.cfg index 318035c83f..a21f1e21ab 100644 --- a/infra/config/global/generated/cr-buildbucket.cfg +++ b/infra/config/global/generated/cr-buildbucket.cfg @@ -9,10 +9,6 @@ buckets { acls { group: "all" } - acls { - role: SCHEDULER - identity: "user:luci-scheduler@appspot.gserviceaccount.com" - } swarming { builders { name: "cron-linux-clang-rel-x64" @@ -31,6 +27,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-dbg-x64" @@ -48,6 +48,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-dbg-x86" @@ -65,6 +69,10 @@ buckets { properties_j: "target_cpu:\"x86\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-rel-x64" @@ -82,6 +90,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-rel-x86" @@ -99,6 +111,10 @@ buckets { properties_j: "target_cpu:\"x86\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "mac-dbg" @@ -120,6 +136,10 @@ buckets { path: "osx_sdk" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "mac-rel" @@ -141,6 +161,10 @@ buckets { path: "osx_sdk" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-dbg-x64" @@ -162,6 +186,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-dbg-x86" @@ -183,6 +211,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-rel-x64" @@ -204,6 +236,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-rel-x86" @@ -225,6 +261,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-msvc-dbg-x64" @@ -241,6 +281,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-msvc-rel-x64" @@ -257,6 +301,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } } } @@ -291,6 +339,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-dbg-x86" @@ -309,6 +361,10 @@ buckets { properties_j: "target_cpu:\"x86\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-rel-x64" @@ -327,6 +383,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "linux-clang-rel-x86" @@ -345,6 +405,10 @@ buckets { properties_j: "target_cpu:\"x86\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "mac-dbg" @@ -367,6 +431,10 @@ buckets { path: "osx_sdk" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "mac-rel" @@ -389,6 +457,10 @@ buckets { path: "osx_sdk" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "presubmit" @@ -405,6 +477,10 @@ buckets { properties_j: "runhooks:true" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-dbg-x64" @@ -427,6 +503,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-dbg-x86" @@ -449,6 +529,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-rel-x64" @@ -471,6 +555,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-clang-rel-x86" @@ -493,6 +581,10 @@ buckets { path: "win_toolchain" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-msvc-dbg-x64" @@ -510,6 +602,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } builders { name: "win-msvc-rel-x64" @@ -527,6 +623,10 @@ buckets { properties_j: "target_cpu:\"x64\"" } service_account: "dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + experiments { + key: "luci.use_realms" + value: 0 + } } } } diff --git a/infra/config/global/generated/luci-scheduler.cfg b/infra/config/global/generated/luci-scheduler.cfg index 31a920b163..64d14dbbe7 100644 --- a/infra/config/global/generated/luci-scheduler.cfg +++ b/infra/config/global/generated/luci-scheduler.cfg @@ -6,6 +6,7 @@ job { id: "cron-linux-clang-rel-x64" + realm: "ci" schedule: "0 0 0 * * * *" acl_sets: "ci" buildbucket { @@ -16,6 +17,7 @@ job { } job { id: "linux-clang-dbg-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -25,6 +27,7 @@ job { } job { id: "linux-clang-dbg-x86" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -34,6 +37,7 @@ job { } job { id: "linux-clang-rel-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -43,6 +47,7 @@ job { } job { id: "linux-clang-rel-x86" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -52,6 +57,7 @@ job { } job { id: "mac-dbg" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -61,6 +67,7 @@ job { } job { id: "mac-rel" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -70,6 +77,7 @@ job { } job { id: "win-clang-dbg-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -79,6 +87,7 @@ job { } job { id: "win-clang-dbg-x86" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -88,6 +97,7 @@ job { } job { id: "win-clang-rel-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -97,6 +107,7 @@ job { } job { id: "win-clang-rel-x86" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -106,6 +117,7 @@ job { } job { id: "win-msvc-dbg-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -115,6 +127,7 @@ job { } job { id: "win-msvc-rel-x64" + realm: "ci" acl_sets: "ci" buildbucket { server: "cr-buildbucket.appspot.com" @@ -124,6 +137,7 @@ job { } trigger { id: "primary-poller" + realm: "ci" acl_sets: "ci" triggers: "linux-clang-dbg-x64" triggers: "linux-clang-dbg-x86" diff --git a/infra/config/global/generated/realms.cfg b/infra/config/global/generated/realms.cfg new file mode 100644 index 0000000000..30db5dd81c --- /dev/null +++ b/infra/config/global/generated/realms.cfg @@ -0,0 +1,56 @@ +# Auto-generated by lucicfg. +# Do not modify manually. +# +# For the schema of this file, see RealmsCfg message: +# https://luci-config.appspot.com/schemas/projects:realms.cfg + +realms { + name: "@root" + bindings { + role: "role/buildbucket.reader" + principals: "group:all" + } + bindings { + role: "role/configs.reader" + principals: "group:all" + } + bindings { + role: "role/logdog.reader" + principals: "group:all" + } + bindings { + role: "role/logdog.writer" + principals: "group:luci-logdog-chromium-writers" + } + bindings { + role: "role/scheduler.owner" + principals: "group:project-dawn-admins" + } + bindings { + role: "role/scheduler.reader" + principals: "group:all" + } +} +realms { + name: "ci" + bindings { + role: "role/buildbucket.builderServiceAccount" + principals: "user:dawn-ci-builder@chops-service-accounts.iam.gserviceaccount.com" + } + bindings { + role: "role/buildbucket.reader" + principals: "group:all" + } +} +realms { + name: "try" + bindings { + role: "role/buildbucket.builderServiceAccount" + principals: "user:dawn-try-builder@chops-service-accounts.iam.gserviceaccount.com" + } + bindings { + role: "role/buildbucket.triggerer" + principals: "group:project-dawn-tryjob-access" + principals: "group:service-account-cq" + } +} diff --git a/infra/config/global/main.star b/infra/config/global/main.star old mode 100644 new mode 100755 index 52bf63a99a..bef233394a --- a/infra/config/global/main.star +++ b/infra/config/global/main.star @@ -8,6 +8,11 @@ main.star: lucicfg configuration for Dawn's standalone builers. """ +# Enable realms experiment. +lucicfg.enable_experiment("crbug.com/1085650") +# TODO(https://crbug.com/1216166): ramp up to 100%. +luci.builder.defaults.experiments.set({"luci.use_realms": 0}) + lucicfg.config(fail_on_warnings = True) luci.project( @@ -56,9 +61,6 @@ luci.bucket( ), acl.entry( acl.BUILDBUCKET_TRIGGERER, - users = [ - "luci-scheduler@appspot.gserviceaccount.com", - ], ), ], )