| OLD | NEW |
|---|
| 1 # Configuration service | 1 # Configuration service |
| 2 | 2 |
| 3 - Stores and imports config files from repositories, such as Gitiles. | 3 - Stores and imports config files from repositories, such as Gitiles. |
| 4 - Provides read-only access to config files and encapsulates their location. | 4 - Provides read-only access to config files and encapsulates their location. |
| 5 - Stores a registry of LUCI services. |
| 5 - Stores a registry of projects that use LUCI services. | 6 - Stores a registry of projects that use LUCI services. |
| 6 | 7 |
| 7 | |
| 8 ## Quick examples | 8 ## Quick examples |
| 9 | 9 |
| 10 ### Service config example | 10 ### Service config example |
| 11 Auth service admins keep client id whitelist and configuration of group import | 11 Auth service admins keep client id whitelist and configuration of group import |
| 12 from externa sources. They can store these configs as files in Gitiles. | 12 from external sources. These configs are stored as files in Gitiles. |
| 13 Config service can be configured to import them from Gitiles to | 13 Config service imports them from Gitiles to `services/<auth-service-app-id>` |
| 14 to `services/auth` config set. Auth service can use config component to | 14 config set. Auth service can use |
| 15 access its own configs. | 15 [config component](../components/components/config) to access its the configs. |
| 16 | 16 |
| 17 As a result, Auth services has the following for free | 17 As a result, Auth services has the following for free |
| 18 | 18 |
| 19 - convenient configuration viewing and editing by humans | 19 - convenient configuration viewing and editing by humans |
| 20 - change review and history | 20 - change review and history |
| 21 - config ACLs | 21 - config ACLs |
| 22 | 22 |
| 23 | 23 |
| 24 ### Project config example | 24 ### Project config example |
| 25 | 25 |
| (...skipping 28 matching lines...) Expand all Loading... |
| 54 These configs are generally not interesting to project maintainers. | 54 These configs are generally not interesting to project maintainers. |
| 55 | 55 |
| 56 Service configs live in `services/<service_id>` config sets. For GAE apps, | 56 Service configs live in `services/<service_id>` config sets. For GAE apps, |
| 57 `service_id` is an app id. | 57 `service_id` is an app id. |
| 58 Examples: `services/luci-config`, `services/chrome-infra-auth`. | 58 Examples: `services/luci-config`, `services/chrome-infra-auth`. |
| 59 A service typically reads config files in its own config set. | 59 A service typically reads config files in its own config set. |
| 60 | 60 |
| 61 `services/<service_id>` is always accessible to | 61 `services/<service_id>` is always accessible to |
| 62 <service-id>.appspot.com. | 62 <service-id>.appspot.com. |
| 63 | 63 |
| 64 `services/luci-config:projects.cfg` is a project registry. It contains | |
| 65 unique project ids (chromium, v8, skia) and location of project configs. | |
| 66 This list is available through get_projects() API. This is how projects are | |
| 67 discovered by services. | |
| 68 | |
| 69 2. Project configs. Project-wide branch-independent configs for services. | 64 2. Project configs. Project-wide branch-independent configs for services. |
| 70 This is what a project as a tenant tells a service about itself. Examples: | 65 This is what a project as a tenant tells a service about itself. Examples: |
| 71 | 66 |
| 72 - project metadata: project name, project description, mailing list, | 67 - project metadata: project name, project description, mailing list, |
| 73 owner email, team auth group, wiki link, etc. | 68 owner email, team auth group, wiki link, etc. |
| 74 - list of project refs. | 69 - list of project refs. |
| 75 - cron jobs: when and what project tasks to run. | 70 - cron jobs: when and what project tasks to run. |
| 76 | 71 |
| 77 Project configs live in `projects/<project_id>` config set. Services | 72 Project configs live in `projects/<project_id>` config set. Services |
| 78 discover projects through `get_projects()` and request a config from | 73 discover projects through `get_projects()` and request a config from |
| 79 `projects/<project_id>` config set. For instance, cron service reads | 74 `projects/<project_id>` config set. For instance, cron service reads |
| 80 `projects/<project_id>:cron.cfg` for each project in the registry. | 75 `projects/<project_id>:cron.cfg` for each project in the registry. |
| 81 | 76 |
| 82 3. Ref configs. These are repository/branch-specific configs in a project. | 77 3. Ref configs. These are repository/branch-specific configs in a project. |
| 83 Examples: | 78 Examples: |
| 84 | 79 |
| 85 - list of builds that have to pass for a CL to be committed. | 80 - list of builds that have to pass for a CL to be committed. |
| 86 - list of builder names that can close the tree if failed. | 81 - list of builder names that can close the tree if failed. |
| 87 - Code review info: type (rietveld, gerrit, etc), URL and | 82 - Code review info: type (rietveld, gerrit, etc), URL and |
| 88 codereview-specific details. | 83 codereview-specific details. |
| 89 | 84 |
| 90 Ref configs live in `projects/<project_id>/<ref_name>` config | 85 Ref configs live in `projects/<project_id>/<ref_name>` config |
| 91 set, where `<ref_name>` always starts with `refs/`. | 86 set, where `<ref_name>` always starts with `refs/`. |
| 92 | 87 |
| 88 ## Project registry |
| 89 |
| 90 `services/luci-config:projects.cfg` is a project registry. It contains unique |
| 91 project ids (chromium, v8, skia) and location of project configs. This list is |
| 92 available through get_projects() API. This is how projects are discovered by |
| 93 services. |
| 94 |
| 95 See [ProjectsCfg message](proto/service_config.proto) for more info. |
| 96 |
| 97 ## Service registry |
| 98 |
| 99 `services/luci-config:services.cfg` is a service registry. It contains unique |
| 100 service ids (chrome-infra-auth, swarming), location of configs if different from |
| 101 default and metadata url. |
| 102 |
| 103 See [ServicesCfg message](proto/service_config.proto) for more info. |
| 104 |
| 105 ## Access control |
| 106 |
| 107 Service configs are accessible to a group defined in service/luci-config:acl.cfg |
| 108 and a GAE app with the same id, e.g. x.appspot.com has access to `services/x`. |
| 109 |
| 110 Projects define access to their configs in projects/foo:project.cfg. See |
| 111 [access field in ProjectCfg message](proto/project_config.proto). |
| 112 |
| 113 ## Configuration validation |
| 114 |
| 115 Config files are validated and config set revisions containing invalid configs |
| 116 are not imported. Configs of the config service (services/luci-config config |
| 117 set) are validated by the config service. Other configs can be validated by |
| 118 registered services. A service may expose a list of config patterns that it is |
| 119 able to validate and the config service will call service's endpoint to |
| 120 validate. |
| 121 |
| 122 See [ServicesCfg and Validator messages](proto/service_config.proto) for more |
| 123 info. |
| 93 | 124 |
| 94 ## GAE component | 125 ## GAE component |
| 95 | 126 |
| 96 config component can be used by a GAE app to read configs. | 127 [config component](../components/components/config) can be used by a GAE app to |
| 97 | 128 read configs. |
| 98 | 129 |
| 99 ## Config import | 130 ## Config import |
| 100 | 131 |
| 101 Configs are continuously imported from external sources to the datastore by | 132 Configs are continuously imported from external sources to the datastore by |
| 102 config service backend. | 133 config service backend, with 10 min latency. |
| 103 [Read more](https://github.com/luci/luci-py/wiki/Config-service:-config-import) | 134 [Read more](https://github.com/luci/luci-py/wiki/Config-service:-config-import) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1224913002:
luci-config: fine-grained acls (Closed)
Base URL: git@github.com:luci/luci-py.git@master