Declare "role/configs.validator" binding.
It defines who is allowed to call LUCI Config validation API to
validate this LUCI project's configs. This is usually done by
presubmit jobs, and thus configs.validator role is assigned to
try job task accounts.
Previously this ACL was defined in the global "config-validation"
group. It is deprecated and being replaced with per-project ACLs
defined in per-project configs (like in this CL).
There's still a global ACL to allow any googler to call
the validation API in any LUCI project they are allowed to see.
Thus the per-project binding applies only to service accounts
(they are not googlers).
Note: this CL was generated semi-automatically and reviewers are
picked automatically based on OWNERS file.
BUG=chromium:1068817
Change-Id: I35b619854dea5c2cd3ff8cce041da6a321ce5cf0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3283403
Auto-Submit: Vadim Shtayura <vadimsh@google.com>
Reviewed-by: Garrett Beaty <gbeaty@google.com>
Commit-Queue: Garrett Beaty <gbeaty@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1064}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
diff --git a/infra/config/generated/luci/realms.cfg b/infra/config/generated/luci/realms.cfg
index 8f48e7f..6ffbba33 100644
--- a/infra/config/generated/luci/realms.cfg
+++ b/infra/config/generated/luci/realms.cfg
@@ -11,6 +11,10 @@
principals: "group:all"
}
bindings {
+ role: "role/configs.validator"
+ principals: "group:project-chromium-try-task-accounts"
+ }
+ bindings {
role: "role/logdog.reader"
principals: "group:all"
}
diff --git a/infra/config/main.star b/infra/config/main.star
index 785a8fa..d8f18d26 100755
--- a/infra/config/main.star
+++ b/infra/config/main.star
@@ -91,6 +91,12 @@
groups = "project-chromium-admins",
),
],
+ bindings = [
+ luci.binding(
+ roles = "role/configs.validator",
+ groups = "project-chromium-try-task-accounts",
+ ),
+ ],
)
luci.cq(