I need to be added to the following scopes for work in bug 1277579 create-task:scriptworker-prov-v1/signing-linux-v1 and access to modify and trigger the following hooks hooks:modify-hook:releng/nightly-fennec-dev hooks:trigger-hook:releng/nightly-fennec-dev Also, I would like to create my own hook in releng/nightly-desktop-dev not sure if I can do that myself or someone needs to grant me rights to do so Anthony mentioned that Jonas was able to help him with that in the past. Cc'inng mihai, I think he needs similar rights.

Hi Kim, I believe the create-task scope you require would be: queue:create-task:scriptworker-prov-v1/signing-linux-v1 (with queue: prefix). I believe you should have that already by virtue of being in releng (releng has queue:* - see https://tools.taskcluster.net/auth/roles/#mozilla-group:releng). Similarly, releng should hopefully already have "hooks:modify-hook:releng/*", which should get you "hooks:modify-hook:releng/nightly-fennec-dev". I think the only one missing is, "hooks:trigger-hook:releng/nightly-fennec-dev". This change surprisingly requires a code change, I'll submit a PR shortly...

Dustin, I hit an issue when trying to build taskcluster-admin after merging (see the PR for details). Any ideas? Thanks! Pete

This should be resolved now. Kim let me know if you hit any issues. Thanks!

I think I am still missing some scopes/expanded scopes If you look at the ones anthony had, he has a lot more than the ones I have see https://tools.taskcluster.net/auth/roles/#mozilla-user:amiyaguchi@mozilla.com vs me https://tools.taskcluster.net/auth/roles/#mozilla-user:kmoir@mozilla.com where I don't have a role. Also, for these scopes/hooks that Anthony has Scopes assume:hook-id:releng/nightly-fennec-dev auth:create-role:hook-id:releng/nightly-fennec-dev auth:delete-role:hook-id:releng/nightly-fennec-dev auth:update-role:hook-id:releng/nightly-fennec-dev hooks:modify-hook:releng/nightly-fennec-dev hooks:trigger-hook:releng/nightly-fennec-dev I need one that specifies nightly-desktop-dev in the same fashion as the ones above are specified for nightly-fennec dev. Also, :mtabara needs the same permissions I do since he will be working on the Linux32 desktop nightly version

(In reply to Kim Moir [:kmoir] back Sept 6 from comment #5) > I think I am still missing some scopes/expanded scopes > > If you look at the ones anthony had, he has a lot more than the ones I have > see > https://tools.taskcluster.net/auth/roles/#mozilla-user:amiyaguchi@mozilla.com > > vs me > https://tools.taskcluster.net/auth/roles/#mozilla-user:kmoir@mozilla.com I can't find this role, was it deleted? > > where I don't have a role. > > Also, for these scopes/hooks that Anthony has > > Scopes > > assume:hook-id:releng/nightly-fennec-dev > auth:create-role:hook-id:releng/nightly-fennec-dev > auth:delete-role:hook-id:releng/nightly-fennec-dev > auth:update-role:hook-id:releng/nightly-fennec-dev > hooks:modify-hook:releng/nightly-fennec-dev > hooks:trigger-hook:releng/nightly-fennec-dev > > I need one that specifies nightly-desktop-dev in the same fashion as the > ones above are specified for nightly-fennec dev. You should already have these when you are logged in via LDAP since you will then inherit these: https://tools.taskcluster.net/auth/roles/#mozilla-group:releng > > Also, :mtabara needs the same permissions I do since he will be working on > the Linux32 desktop nightly version If :mtabara is also in releng, he should already have these scopes too. ----- Note, there are some peculiarities in the role viewer, in that sometimes it might not show all scopes that are granted by virtue of having a role. For example if there is role named <A>* and another role named <A><B>* then having scope assume:<A><B>* will grant you all scopes in both role <A>* and role <A><B>*, however in the UI that displays the Expanded roles, only the expanded roles of the selected role will be shown, rather than the expanded roles of both. I only discovered this behaviour yesterday, I would like to discuss this topic with the TaskCluster team, to understand the rationale behind this, and I mention this in case this has caused some confusion. It might be best to proceed by running with what you have, and seeing what you miss when you hit a problem. Another possibility is if you know which API calls you need to make, we can do an audit of which scopes are required. Currently though, anything relating to project "releng" (i.e. typically scopes that have "releng" in their name) you should have. It could be that Anthony either wasn't marked as being in RelEng in LDAP so needed extra grants, or maybe he had broader scopes than required. As the topic of scopes/roles/client credentials is quite complicated and convoluted, we could also have a face-to-face meeting to go through this if you like, to avoid delays in getting you everything you need. If you think that might help, let me know, and we can set something up.

You can see the scopes you have by using the "manage scopes" menu option in tools.taskcluster.net.

I talked to Jordan about this yesterday and sorted it out.