alertmanager-github-receiver icon indicating copy to clipboard operation
alertmanager-github-receiver copied to clipboard
verified publisher icon m-lab

Detect permission problems

Open cjyar opened this issue 6 years ago • 1 comments

According to https://developer.github.com/v3/issues/#create-an-issue:

Only users with push access can set labels for new issues. Labels are silently dropped otherwise.

Scenario:

  • alertmanager-github-receiver is running as a user without permission to push to a repo.
  • An alert is generated, and the program creates an issue. It tries to add labels to the issue, but no labels are added.
  • Alertmanager periodically resends the alert. The next time alertmanager-github-receiver receives it, it checks to see if the issue already exists. It searches based on labels first, so it doesn't find the existing issue.
  • alertmanager-github-receiver creates a duplicate issue.
  • It does so again every time alertmanager resends the alert.

It seems like there are a few things we should/could do:

  1. Warn users that they need to have push permissions for the service account.
  2. Detect insufficient permissions and warn the user.
  3. Refuse to create duplicate issues.

cjyar avatar Jan 28 '20 15:01 cjyar

re: 1) https://github.com/m-lab/alertmanager-github-receiver#create-github-access-token outlines what permissions are needed for the access token. Unfortunately, "push" is not mentioned on the token allocation page. A note in our readme that points to the link you put here would be welcome.

re: 2) yes, if the client doesn't have sufficient permissions it should not create any issues. That addresses 3) also.

stephen-soltesz avatar Jan 29 '20 19:01 stephen-soltesz