Configure peribolos to sync repo permissions and teams about internal-acls HOT 15 CLOSED

This has been fixed by #250.

from internal-acls.

Confirmed this is working.
#251
Submitted a new team mxnet-operator-team and that team now exists.

from internal-acls.

Add other existing members or invite new members to the corresponding team (e.g. new reviewers and approvers),

Can this be done through OWNERs files?

Set up CI/CD.

Can this be done through PRs modifying the appropriate config files?
https://github.com/kubeflow/testing#setting-up-a-kubeflow-repository-to-use-prow-a-idprow-setupa

Manage storyboards and releases,

What GitHub roles provide the least privilege to accomplish what you need?

Can membership and repo permissions be managed through GitOps to make it easier to scale and manage?

We are using peribolos to declaratively manage GitHub permissions.

from internal-acls.

Got it. I didn’t know we are using peribolos to manage the permissions, which definitely seems more scalable and manageable. I believe the corresponding teams I am in are missing a “repos” field. I’ll give that a try soon. Thanks!

from internal-acls.

Per @jlewi's comment in #229 (comment), it seems like we might not have peribolos configured to sync repo permissions yet. I am re-opening this issue to track that.

from internal-acls.

/cc @Jeffwan

from internal-acls.

Issue-Label Bot is automatically applying the labels:

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

from internal-acls.

Issue-Label Bot is automatically applying the labels:

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

from internal-acls.

We should already be sync'ing teams

           - /app/prow/cmd/peribolos/app.binary.runfiles/io_k8s_test_infra/prow/cmd/peribolos/linux_amd64_pure_stripped/app.binary  
            - --fix-teams 
            - --fix-team-members 
            - --fix-org-members 
            - --config-path=/src/kubeflow/internal-acls/github-orgs/kubeflow/org.yaml
            - --github-token-path=/secret/github-token/github_token
            - --required-admins=jlewi
            - --required-admins=abhi-g
            - --required-admins=google-admin
            - --required-admins=googlebot
            - --required-admins=richardsliu
            - --confirm=true

from internal-acls.

It looks like peribolos has two options

• fix-team-repos - fix team permissions on repos
• fix-repos - create/update/delete repos

So we probably want the fix-team-repos permission.

from internal-acls.

The job is currently failing.
Here are the logs
logs.txt

The problem is that ajayalfred is not a user.

{"component":"peribolos","error":"status code 422 not one of [200], body: {\"message\":\"The request could not be processed.\",\"documentation_url\":\"https://developer.github.com/v3/orgs/members/#add-or-update-organization-members
hip\"}","file":"prow/cmd/peribolos/main.go:441","func":"main.configureOrgMembers.func1","level":"warning","msg":"UpdateOrgMembership(kubeflow, ajayalfred, false) failed","time":"2020-05-21T03:50:56Z"}

from internal-acls.

I updated the cron job to run with fix-team-repos.

from internal-acls.

Per: kubernetes/test-infra#14321 it looks like we are using an outdated peribolos image; on newer images it keeps going on error.

from internal-acls.

Looks like kubernetes/test-infra/issues#17671 its still an issue with peribolos not continuing

from internal-acls.

@jlewi Yes and repo permissions are also correct! Thanks for all the efforts!

from internal-acls.