[luci][realms] Configure LUCI Security Realms for R8.
LUCI security realms will supersede legacy ACLs via
a multi-stage migration :( This is stage one, and requires
configuring realms.cfg for the first time.
The goal of this CL is to replicate the existing legacy config,
which is to be deleted here: https://crrev.com/i/4146070
R=ricow
Bug: https://crbug.com/1242925
Change-Id: I08f3d1a48255b600058d418cf9b5ac4e523bd9ad
diff --git a/infra/config/global/generated/cr-buildbucket.cfg b/infra/config/global/generated/cr-buildbucket.cfg
index 3d645b7..6765e56 100644
--- a/infra/config/global/generated/cr-buildbucket.cfg
+++ b/infra/config/global/generated/cr-buildbucket.cfg
@@ -38,6 +38,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "archive_lib_desugar"
@@ -60,6 +64,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "archive_release"
@@ -81,6 +89,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "desugared_library_head"
@@ -102,6 +114,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "desugared_library_jdk11_head"
@@ -123,6 +139,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-4.0.4"
@@ -145,6 +165,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-4.0.4_release"
@@ -167,6 +191,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-4.4.4"
@@ -189,6 +217,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-4.4.4_release"
@@ -211,6 +243,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-5.1.1"
@@ -233,6 +269,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-5.1.1_release"
@@ -255,6 +295,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-6.0.1"
@@ -277,6 +321,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-6.0.1_release"
@@ -299,6 +347,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-7.0.0"
@@ -321,6 +373,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android-7.0.0_release"
@@ -343,6 +399,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=10.0.0"
@@ -365,6 +425,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=10.0.0_release"
@@ -387,6 +451,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=12.0.0"
@@ -409,6 +477,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=12.0.0_release"
@@ -431,6 +503,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=8.1.0"
@@ -453,6 +529,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=8.1.0_release"
@@ -475,6 +555,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=9.0.0"
@@ -497,6 +581,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-android=9.0.0_release"
@@ -519,6 +607,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-d8_jctf"
@@ -543,6 +635,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-d8_jctf_release"
@@ -567,6 +663,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-dex_default"
@@ -589,6 +689,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-dex_default_release"
@@ -611,6 +715,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-internal"
@@ -633,6 +741,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-internal_release"
@@ -655,6 +767,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk11"
@@ -677,6 +793,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk11_release"
@@ -699,6 +819,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk8"
@@ -721,6 +845,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk8_release"
@@ -743,6 +871,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk9"
@@ -765,6 +897,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-jdk9_release"
@@ -787,6 +923,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-kotlin-dev"
@@ -808,6 +948,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-none"
@@ -830,6 +974,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-none_release"
@@ -852,6 +1000,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-r8cf_jctf"
@@ -876,6 +1028,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-r8cf_jctf_release"
@@ -900,6 +1056,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-run-on-app-dump"
@@ -922,6 +1082,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "linux-run-on-app-dump_release"
@@ -944,6 +1108,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "windows"
@@ -965,6 +1133,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
builders {
name: "windows_release"
@@ -986,6 +1158,10 @@
expiration_secs: 126000
build_numbers: YES
service_account: "r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ experiments {
+ key: "luci.use_realms"
+ value: 0
+ }
}
}
}
diff --git a/infra/config/global/generated/luci-scheduler.cfg b/infra/config/global/generated/luci-scheduler.cfg
index 46abc44..042ffd1 100644
--- a/infra/config/global/generated/luci-scheduler.cfg
+++ b/infra/config/global/generated/luci-scheduler.cfg
@@ -6,6 +6,7 @@
job {
id: "archive"
+ realm: "ci"
acl_sets: "ci"
triggering_policy {
kind: GREEDY_BATCHING
@@ -20,6 +21,7 @@
}
job {
id: "archive_lib_desugar"
+ realm: "ci"
acl_sets: "ci"
triggering_policy {
kind: GREEDY_BATCHING
@@ -34,6 +36,7 @@
}
job {
id: "archive_release"
+ realm: "ci"
acl_sets: "ci"
triggering_policy {
kind: GREEDY_BATCHING
@@ -48,6 +51,7 @@
}
job {
id: "desugared_library_head"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -57,6 +61,7 @@
}
job {
id: "desugared_library_jdk11_head"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -66,6 +71,7 @@
}
job {
id: "linux-android-4.0.4"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -75,6 +81,7 @@
}
job {
id: "linux-android-4.0.4_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -84,6 +91,7 @@
}
job {
id: "linux-android-4.4.4"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -93,6 +101,7 @@
}
job {
id: "linux-android-4.4.4_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -102,6 +111,7 @@
}
job {
id: "linux-android-5.1.1"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -111,6 +121,7 @@
}
job {
id: "linux-android-5.1.1_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -120,6 +131,7 @@
}
job {
id: "linux-android-6.0.1"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -129,6 +141,7 @@
}
job {
id: "linux-android-6.0.1_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -138,6 +151,7 @@
}
job {
id: "linux-android-7.0.0"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -147,6 +161,7 @@
}
job {
id: "linux-android-7.0.0_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -156,6 +171,7 @@
}
job {
id: "linux-android=10.0.0"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -165,6 +181,7 @@
}
job {
id: "linux-android=10.0.0_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -174,6 +191,7 @@
}
job {
id: "linux-android=12.0.0"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -183,6 +201,7 @@
}
job {
id: "linux-android=12.0.0_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -192,6 +211,7 @@
}
job {
id: "linux-android=8.1.0"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -201,6 +221,7 @@
}
job {
id: "linux-android=8.1.0_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -210,6 +231,7 @@
}
job {
id: "linux-android=9.0.0"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -219,6 +241,7 @@
}
job {
id: "linux-android=9.0.0_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -228,6 +251,7 @@
}
job {
id: "linux-d8_jctf"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -237,6 +261,7 @@
}
job {
id: "linux-d8_jctf_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -246,6 +271,7 @@
}
job {
id: "linux-dex_default"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -255,6 +281,7 @@
}
job {
id: "linux-dex_default_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -264,6 +291,7 @@
}
job {
id: "linux-internal"
+ realm: "ci"
acl_sets: "ci"
triggering_policy {
kind: GREEDY_BATCHING
@@ -278,6 +306,7 @@
}
job {
id: "linux-internal_release"
+ realm: "ci"
acl_sets: "ci"
triggering_policy {
kind: GREEDY_BATCHING
@@ -292,6 +321,7 @@
}
job {
id: "linux-jdk11"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -301,6 +331,7 @@
}
job {
id: "linux-jdk11_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -310,6 +341,7 @@
}
job {
id: "linux-jdk8"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -319,6 +351,7 @@
}
job {
id: "linux-jdk8_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -328,6 +361,7 @@
}
job {
id: "linux-jdk9"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -337,6 +371,7 @@
}
job {
id: "linux-jdk9_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -346,6 +381,7 @@
}
job {
id: "linux-kotlin-dev"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -355,6 +391,7 @@
}
job {
id: "linux-none"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -364,6 +401,7 @@
}
job {
id: "linux-none_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -373,6 +411,7 @@
}
job {
id: "linux-r8cf_jctf"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -382,6 +421,7 @@
}
job {
id: "linux-r8cf_jctf_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -391,6 +431,7 @@
}
job {
id: "linux-run-on-app-dump"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -400,6 +441,7 @@
}
job {
id: "linux-run-on-app-dump_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -409,6 +451,7 @@
}
job {
id: "windows"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -418,6 +461,7 @@
}
job {
id: "windows_release"
+ realm: "ci"
acl_sets: "ci"
buildbucket {
server: "cr-buildbucket.appspot.com"
@@ -427,6 +471,7 @@
}
trigger {
id: "branch-gitiles-trigger"
+ realm: "ci"
acl_sets: "ci"
triggers: "archive_release"
triggers: "linux-android-4.0.4_release"
@@ -456,6 +501,7 @@
}
trigger {
id: "main-gitiles-trigger"
+ realm: "ci"
acl_sets: "ci"
triggers: "archive"
triggers: "desugared_library_head"
diff --git a/infra/config/global/generated/realms.cfg b/infra/config/global/generated/realms.cfg
new file mode 100644
index 0000000..07dbef1
--- /dev/null
+++ b/infra/config/global/generated/realms.cfg
@@ -0,0 +1,58 @@
+# Auto-generated by lucicfg.
+# Do not modify manually.
+#
+# For the schema of this file, see RealmsCfg message:
+# https://luci-config.appspot.com/schemas/projects:realms.cfg
+
+realms {
+ name: "@root"
+ bindings {
+ role: "role/buildbucket.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/buildbucket.triggerer"
+ principals: "group:project-r8-committers"
+ principals: "user:luci-scheduler@appspot.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/configs.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/logdog.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/scheduler.reader"
+ principals: "group:all"
+ }
+ bindings {
+ role: "role/swarming.poolOwner"
+ principals: "group:mdb/r8-team"
+ }
+ bindings {
+ role: "role/swarming.poolViewer"
+ principals: "group:googlers"
+ }
+}
+realms {
+ name: "ci"
+ bindings {
+ role: "role/buildbucket.builderServiceAccount"
+ principals: "user:r8-ci-builder@chops-service-accounts.iam.gserviceaccount.com"
+ }
+ bindings {
+ role: "role/swarming.taskTriggerer"
+ principals: "group:mdb/chrome-troopers"
+ principals: "group:mdb/r8-team"
+ }
+}
+realms {
+ name: "pools/ci"
+ bindings {
+ role: "role/swarming.poolUser"
+ principals: "group:mdb/chrome-troopers"
+ principals: "group:mdb/r8-team"
+ }
+}
diff --git a/infra/config/global/main.star b/infra/config/global/main.star
index 5e790b5..3681e4a 100755
--- a/infra/config/global/main.star
+++ b/infra/config/global/main.star
@@ -1,5 +1,15 @@
#!/usr/bin/env lucicfg
+lucicfg.check_version("1.28.0", "Please use newer `lucicfg` binary")
+
+# Enable LUCI Realms support.
+lucicfg.enable_experiment("crbug.com/1085650")
+
+# Launch 0% of Builds in "realms-aware mode"
+# TODO(tandrii): upgarde to 100%.
+luci.builder.defaults.experiments.set({"luci.use_realms": 0})
+
+
luci.project(
name = "r8",
buildbucket = "cr-buildbucket.appspot.com",
@@ -30,7 +40,43 @@
]
),
- ]
+ ],
+ bindings = [
+ luci.binding(
+ roles = "role/swarming.poolOwner",
+ groups = "mdb/r8-team",
+ ),
+ luci.binding(
+ roles = "role/swarming.poolViewer",
+ groups = "googlers",
+ ),
+ ],
+)
+
+# Allow the given users to use LUCI `led` tool and "Debug" button
+# inside the given bucket & pool security realms.
+def led_users(*, pool_realm, builder_realm, groups):
+ luci.realm(
+ name = pool_realm,
+ bindings = [
+ luci.binding(
+ roles = "role/swarming.poolUser",
+ groups = groups,
+ ),
+ ],
+ )
+ luci.binding(
+ realm = builder_realm,
+ roles = "role/swarming.taskTriggerer",
+ groups = groups,
+ )
+led_users(
+ pool_realm="pools/ci",
+ builder_realm="ci",
+ groups=[
+ "mdb/r8-team",
+ "mdb/chrome-troopers",
+ ],
)
luci.bucket(name = "ci")
