| -@gerrit:opendev.org- Takashi Kajinami proposed: [zuul/zuul] 918381: Remove fallback logic for python-daemon < 1.6 https://review.opendev.org/c/zuul/zuul/+/918381 | 05:29 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Clark Boylan: [zuul/zuul] 918338: Check pre run failure cases with only 2 retry attempts https://review.opendev.org/c/zuul/zuul/+/918338 | 07:21 | |
| -@gerrit:opendev.org- Takashi Kajinami proposed: [zuul/zuul] 918381: Remove fallback logic for python-daemon < 1.6 https://review.opendev.org/c/zuul/zuul/+/918381 | 08:03 | |
| -@gerrit:opendev.org- Takashi Kajinami proposed: [zuul/zuul] 918381: Remove fallback logic for python-daemon < 1.6 https://review.opendev.org/c/zuul/zuul/+/918381 | 08:04 | |
| -@gerrit:opendev.org- Takashi Kajinami proposed: [zuul/nodepool] 918433: Remove fallback logic for python-daemon < 1.6 https://review.opendev.org/c/zuul/nodepool/+/918433 | 12:01 | |
| -@gerrit:opendev.org- Takashi Kajinami proposed: [zuul/nodepool] 918433: Remove fallback logic for python-daemon < 1.6 https://review.opendev.org/c/zuul/nodepool/+/918433 | 12:02 | |
| -@gerrit:opendev.org- Andrei Dmitriev proposed: [zuul/zuul] 916735: Add sync_timeout to merger configuration https://review.opendev.org/c/zuul/zuul/+/916735 | 14:31 | |
| @vonschultz:matrix.org | Hello, I'm having some trouble with `zuul-client dequeue`. I'm getting | 15:14 |
|---|---|---|
| ``` | ||
| INFO - Invoking dequeue with arguments: {'tenant': 'embedl-tenant', 'pipeline': 'check', 'project': 'embedl', 'change': '41,1', 'ref': None} | ||
| DEBUG - https://zuul.stage.embedl.dev:443 "POST /api/tenant/embedl-tenant/project/embedl/dequeue HTTP/1.1" 403 0 | ||
| ERROR - Failed with the following exception: Insufficient privileges to perform the action. | ||
| ``` | ||
| when running | ||
| ``` | ||
| zuul-client -v -c .zuul.conf --use-config embedl-tenant dequeue --tenant embedl-tenant --pipeline check --project embedl --change 41,1 | ||
| ``` | ||
| My nginx indeed reports a 403 error, | ||
| ``` | ||
| "POST /api/tenant/embedl-tenant/project/embedl/dequeue HTTP/1.1" 403 0 "-" "python-requests/2.22.0" "-" | ||
| ``` | ||
| But my zuul-web log says | ||
| ``` | ||
| DEBUG zuul.web: [req: 78e050f7fa91425f83d7a06b32d63da4] Applying admin rule "zuulweb-admin" from tenant "embedl-tenant" to claims {...} | ||
| ``` | ||
| If it is indeed applying the admin rule as intended, why is it not letting me dequeue changes? Doesn't an admin rule give dequeue permissions to the user? Is there something else that needs to be configured? | ||
| @vonschultz:matrix.org | * Hello, I'm having some trouble with `zuul-client dequeue`. I'm getting | 15:15 |
| ``` | ||
| INFO - Invoking dequeue with arguments: {'tenant': 'embedl-tenant', 'pipeline': 'check', 'project': 'embedl', 'change': '41,1', 'ref': None} | ||
| DEBUG - https://zuul.stage.embedl.dev:443 "POST /api/tenant/embedl-tenant/project/embedl/dequeue HTTP/1.1" 403 0 | ||
| ERROR - Failed with the following exception: Insufficient privileges to perform the action. | ||
| ``` | ||
| when running | ||
| ``` | ||
| zuul-client -v -c .zuul.conf --use-config embedl-tenant dequeue --tenant embedl-tenant --pipeline check --project embedl --change 41,1 | ||
| ``` | ||
| My nginx indeed reports a 403 error, | ||
| ``` | ||
| "POST /api/tenant/embedl-tenant/project/embedl/dequeue HTTP/1.1" 403 0 "-" "python-requests/2.22.0" "-" | ||
| ``` | ||
| But my zuul-web log says | ||
| ``` | ||
| DEBUG zuul.web: [req: 78e050f7fa91425f83d7a06b32d63da4] Applying admin rule "zuulweb-admin" from tenant "embedl-tenant" to claims {...} | ||
| ``` | ||
| If it is indeed applying the admin rule as intended, why is it not letting me dequeue changes? Doesn't an admin rule give dequeue permissions to the user? Is there something else that needs to be configured? | ||
| (Zuul version 10.1.0) | ||
| @clarkb:matrix.org | Do other tasks like creating and deleting holds work? | 15:18 |
| @clarkb:matrix.org | That can possibly help identify if the issue is specific to dequeue or admin actions in general | 15:18 |
| @vonschultz:matrix.org | `zuul-client autohold` also results in `Insufficient privileges to perform the action.` and `Applying admin rule "zuulweb-admin" from tenant "embedl-tenant" to claims` in the zuul-web log. | 15:21 |
| @clarkb:matrix.org | https://opendev.org/openstack/project-config/src/branch/master/zuul/main.yaml#L1-L19 is what our rules look like and the application to a tenant and that does work for us | 15:29 |
| @vonschultz:matrix.org | Thanks! At a glance, the main difference seems to be you use `admin-rule` instead of `authorization-rule` when you define the rules, but changing that seems to make no difference for me... | 15:46 |
| @clarkb:matrix.org | is it possible that the token you are providing isn't matching the rule criteria? So the rule applies but then the token doesn't authorize it? | 16:11 |
| @vonschultz:matrix.org | That's it! Of course, that's it. I misunderstood the log message, thinking the admin rule had been successfully applied. I was using `zuul_uid` in my conditions (I got that idea from https://zuul-ci.org/docs/zuul/latest/tenants.html#authorization-rule), but changing it to `sub` made it work: | 16:51 |
| ``` | ||
| - admin-rule: | ||
| name: zuulweb-admin | ||
| conditions: | ||
| - iss: https://accounts.google.com | ||
| sub: "1081[censored]69" | ||
| ``` | ||
| Many thanks! It works now. | ||
| @josefwells:matrix.org | I had an issue yesterday that I realized could have had an error message that would have quickly helped. When I told my tenant config to "exclude-unprotected-branches: true" my "config-project" that didn't have branch protection on were silently ignored. tenant-conf-check might have mentioned that the config-project essentially contained no jobs. Anyway, I totally should have had branch protection on, but my repository is limited to admins, so it wasn't necessary in the past (admins never make mistakes). | 17:29 |
| @clarkb:matrix.org | something like: when loading configs if any config repos do not have any valid branches raise a warning or error? | 17:39 |
| @clarkb:matrix.org | since config repos in particular should always have a valid branch | 17:40 |
| @josefwells:matrix.org | > <@clarkb:matrix.org> since config repos in particular should always have a valid branch | 17:56 |
| Yeah, exactly | ||
| -@gerrit:opendev.org- Joshua Watt proposed: [zuul/zuul] 918487: gerrit: Clarify HTTP Bad Requests https://review.opendev.org/c/zuul/zuul/+/918487 | 21:31 | |
| @vlotorev:matrix.org | Hi, could someone have a look on small fix for zuul-sphinx config name in documentation https://review.opendev.org/c/zuul/zuul-sphinx/+/915354 ? | 21:35 |
| @vlotorev:matrix.org | * Hi, could someone have a look on a small fix for zuul-sphinx config name in documentation https://review.opendev.org/c/zuul/zuul-sphinx/+/915354 ? | 21:37 |
| -@gerrit:opendev.org- Joshua Watt proposed: [zuul/zuul] 918487: gerrit: Clarify HTTP Bad Requests https://review.opendev.org/c/zuul/zuul/+/918487 | 22:23 | |
| -@gerrit:opendev.org- Joshua Watt proposed: [zuul/zuul] 918487: gerrit: Clarify HTTP Bad Requests https://review.opendev.org/c/zuul/zuul/+/918487 | 22:47 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!