release-tools-bot lacks permission to edit release managers groups on production and ops
From https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/1325040
$ bundle exec rake release_managers:sync
2020-06-18 07:27:51.041889 I Raven -- Raven 2.9.0 ready to catch errors
2020-06-18 07:27:51.238246 D ReleaseTools::GitlabClient -- [HTTParty] [2020-06-18 07:27:51 +0000] 200 "GET https://gitlab.com/api/v4/projects/gitlab%2Dorg%2Frelease%2Dtools/remote_mirrors" 356
2020-06-18 07:27:51.735898 I ReleaseTools::ReleaseManagers::SlackWrapperClient -- Syncing membership -- {:user_ids=>["U68SX6FCH", "UBQ8BPT1B"], :url=>"[REDACTED]/S0127FU8PDE/U68SX6FCH,UBQ8BPT1B"}
2020-06-18 07:27:51.843383 I ReleaseTools::ReleaseManagers::Client -- Syncing membership -- {:target=>:dev}
2020-06-18 07:27:52.019304 I ReleaseTools::ReleaseManagers::Client -- Syncing membership -- {:target=>:production}
2020-06-18 07:27:52.300612 I ReleaseTools::ReleaseManagers::Client -- Removing user from group -- {:user=>"rspeicher", :group=>"gitlab-org/release/managers"}
2020-06-18 07:27:52.470764 I ReleaseTools::ReleaseManagers::Client -- Syncing membership -- {:target=>:ops}
2020-06-18 07:27:52.758519 I ReleaseTools::ReleaseManagers::Client -- Removing user from group -- {:user=>"marin", :group=>"release-managers"}
--> Errors syncing to production:
Insufficient permissions
Insufficient permissions
--> Errors syncing to ops:
Insufficient permissions
Insufficient permissions
Problem and solution description
We use release bot's token for operations on groups in any of the instances. There were a couple of items that caused a problem as described above:
- The group on ops.gitlab.net was a top level group with one owner, so it was impossible for the task to remove the only owner from the group.
- In other instances where the managers group was a subgroup, the release tool bot had incorrect permissions that did not allow it to add or remove users. According to our permissions system, only owners can add/remove members.
To fix the problem,
- ops.gitlab.net/release-managers group was moved to ops.gitlab.net/gitlab-org/release/managers to match what we have on .com
- To parent group of the managers group, we've added release bot and made it the owner of the group
- Removed everyone else from the group, and reran the task again which made the groups consistent across the instances.
Edited by Marin Jankovski