222801 – davidcs @ FreeBSD dot org cannot be Assigned to a PR

Bug 222801 - davidcs @ FreeBSD dot org cannot be Assigned to a PR

Summary: davidcs @ FreeBSD dot org cannot be Assigned to a PR

Status:	Closed FIXED

Alias:	None

Product:	Services
Classification:	Unclassified
Component:	Bug Tracker (show other bugs)
Version:	unspecified
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Oleksandr Tymoshenko

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-05 18:12 UTC by Eugene Grosbein
Modified:	2018-02-20 09:01 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eugene Grosbein freebsd_committer

2017-10-05 18:12:40 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213606 points to a problem in the bxe(4) driver. I attempted to assign the PR to driver's author and maintainer davidcs@FreeBSD.org (David C Somayajulu) and got an error:

> Bugzilla was unable to make any match at all for one or more of the names and/or email addresses you entered on the previous page.

Please go back and try other names or email addresses.
Assignee: 	
davidcs@FreeBSD.org did not match anything

Comment 1 Oleksandr Tymoshenko freebsd_committer

2017-10-05 18:29:23 UTC

(In reply to Eugene Grosbein from comment #0)

Hi Eugene,

David doesn't have Bugzilla account created, so error message is correct, it's not a bug. @FreeBSD.org logins were populated once, during migration from GNATS. After that new committers should login to bugzilla using Kerberos credentials to actually create account.

Comment 2 Eugene Grosbein freebsd_committer

2017-10-05 18:48:12 UTC

(In reply to Oleksandr Tymoshenko from comment #1)

Is it possible to automate this so Bugzilla account created automatically for new committer with initial Kerberos password assigned?

Comment 3 Kubilay Kocak freebsd_committer

2017-10-09 01:58:32 UTC

(In reply to Eugene Grosbein from comment #2)

I believe (though not 100% sure), that Bugzilla account creation for accounts matching @FreeBSD.org emails is a functional consequence of logging in with valid LDAP (Kerberos) credentials, and that explicitly 'creating' an account as a separate first step not required. I may be recalling incorrectly, but David testing that theory would be good (if he hasn't already created an account).

On the question of 'automation', it's unclear whether Bugzilla's API's supports automatic user creation, but either way, that process of creating a user (API endpoint or manually) would need to be managed by and invoked at FreeBSD (developer) Account creation stage by Someone TM.

Given that would be a part of an existing administrative process, rather than any substantive integration (if it were technically feasible), I believe the best initial step to improve the new developer UX is to ensure that 'Create new <freebsd service> account' is explicitly added to the 'new account creation checklist' and verbiage for new developers, if such a checklist exists, if it hasn't been added already.

The FreeBSD Accounts team is CC'd as a likely relevant team.

Comment 4 david 2017-10-09 02:31:21 UTC

FWIW, the "traditional" role of accounts@ (since I've been doing it, at least [May, 2009?]) for account creation has been limited to creating the LDAP record and updating it with the SSH public key (and informing relevant parties when the account should be valid for logging in for the first time).

This is well before any Kerberos principals are created, so any steps that require a Kerberos principal would not be able to be performed.  That said, it is not clear to me that every account necessarily has a corresponding Kerberos principal -- I was under the impression that Kerberos principals are used for cases where someone needs root (or other "privileged") access to some resource.

("LDAP" and "Kerberos" are quite distinct within FreeBSD.org.  accounts@ has had no involvement in the creation of Bugzilla accounts, AFAIK.)

I'm a little surprised that the issue is being raised (for the first time of which I am aware) now (vs. within a few months of the transition to Bugzilla, for example).

Comment 5 Kubilay Kocak freebsd_committer

2017-10-09 05:23:49 UTC

(In reply to david from comment #4)

The question of what password to use (kerberos backend procedure apparently not known), and how to reset ones password, both stemming from 'I cant login' support requests has been an ongoing (if irregular) issue, with a standard response from Bugmeister to make the developer aware of and outline the Kerberos password set/reset process.

This is however, the first time we've looked to involve teams that are engaged earlier in the developer onboarding process, or think about ways to reduce the incidence, or nip the issue in the bud as close to root cause (where one might be apparent) as possible.

I note that Kerberos being required for Bugzilla/Jeking is mentioned in the committers guide already: https://www.freebsd.org/doc/en/articles/committers-guide/kerberos-ldap.html

Comment 6 Oleksandr Tymoshenko freebsd_committer

2018-02-20 09:01:35 UTC

(In reply to Eugene Grosbein from comment #2)

I don't think there is easy solution to push account to Bugzilla once it's created in LDAP/Kerberos. On the other hand implementing "pull" approach is relatively easy. And considering that we do not need real-time reaction to new accounts it's probably fair trade-off between complexity and usability. I added [1] new script to bugzilla database that runs at 3am UTC and checks if there are any accounts in LDAP that are not in Bugzilla. I believe that it resolves issue so I'm closing this PR as fixed. Feel free to reopen it if script doesn't function properly. 

[1] https://github.com/gonzoua/bugzilla/commit/d429f20411e00f3e0fabc27c117b7874b02466ff