#190 Toddler for cleaning packager groups
Opened 11 months ago by zlopez. Modified a month ago

Currently when the user is removed from packager group it is not removed from specialized packager groups. For example go-sig (see https://pagure.io/fedora-infrastructure/issue/11788). We should have a list of packager groups and remove the user from those.

This could be triggered by membership removal message from FAS.


Metadata Update from @zlopez:
- Issue assigned to lenkaseg

8 months ago

Seems there is no membership removal message in FAS.
Either it has to be added to the messagebus first, or figure out another way to know if a user has been removed.

Update:
Message sent to fedora-messaging at the event of removing a user, PR opened here: https://github.com/fedora-infra/noggin/pull/1422

Is there a way to know which distgit groups require packager access?

Trying to figure out which distgit groups a user should be removed from, when the user is removed from packager group.

go-sig for sure

Is there a way to know which distgit groups require packager access?

It should be 100%/all of them. :)

Any group that exists on src.fedoraproject.org should be a packager group I think.

Trying to figure out which distgit groups a user should be removed from, when the user is removed from packager group.

go-sig for sure

I think it should be all/any of them

OK. For that I need to get a list of distgit groups the user is member of.
I see there is no way to see that kind of info from the view user endpoint: https://pagure.io/pagure/blob/1b7d305/f/pagure/api/user.py#_37

So I will have to write it first.

Update on this issue:
The state of the toddler cleaning_package_groups now:
User that is removed from the packager group is removed from all distgit groups.
The change happens on the distgit level. The problem is the ipa sync rewrites any users that had been removed (adds them back). For this the toddlers has to also remove the user in ipa.
Working on it.

So... one thing to note: This shouldn't be just packager... there's a number of other packaging groups ( https://src.fedoraproject.org/groups ) we should adjust too...
but packager is the important one...

Which ipa sync? I guess when they are logged in and in the group, they are removed from the group, but then reload some page and it syncs?

Normally folks removed from packager or some other group would be removed first in ipa, so on login they shouldn't get the groups back I wouldn't think.

So... one thing to note: This shouldn't be just packager... there's a number of other packaging groups ( https://src.fedoraproject.org/groups ) we should adjust too...
but packager is the important one...

I understood it this way: Check if user has been removed from a group called packager in IPA and if yes, remove the user from all the distgit groups (they're 67).
You mean that if a user is removed from any one of those distgit "packager" groups (for example abrt-sig , user should be removed from all the other 66 groups as well?

Which ipa sync? I guess when they are logged in and in the group, they are removed from the group, but then reload some page and it syncs?

Normally folks removed from packager or some other group would be removed first in ipa, so on login they shouldn't get the groups back I wouldn't think.

From talking with @zlopez (I think) I understood the pagure/distgit groups are regularly synced (rewritten) by the source of truth that is IPA groups. For pagure.io it happens in toddler pagure_fas_group_sync, not sure where it happens (if it happens) for distgit. The problem is that when this cleaning toddler removes a user from a distgit groups, the sync would add them back. That led me to thought that the cleaning toddler will have to remove the user also on the IPA side from groups matching to the distgit groups.

I understood it this way: Check if user has been removed from a group called packager in IPA and if yes, remove the user from all the distgit groups (they're 67).

yes. packager group is a requirement to be in any of the other ones.
But I am not sure if that relationship is setup right in ipa. If someone is removed from packager in ipa, we should also remove them in ipa from any of those other groups they are in.
I think there might be some way to reflect this in ipa, but not sure.

You mean that if a user is removed from any one of those distgit "packager" groups (for example abrt-sig , user should be removed from all the other 66 groups as well?

Nope, in that case they should be removed from that specific group only.

From talking with @zlopez (I think) I understood the pagure/distgit groups are regularly synced (rewritten) by the source of truth that is IPA groups. For pagure.io it happens in toddler pagure_fas_group_sync, not sure where it happens (if it happens) for distgit. The problem is that when this cleaning toddler removes a user from a distgit groups, the sync would add them back. That led me to thought that the cleaning toddler will have to remove the user also on the IPA side from groups matching to the distgit groups.

distgit refreshes group membership on login. So, when a user is in say 'packager' and 'abrt-sig' and then they are removed from those, they still have them in pagure until they logout and back on normally. So, we want this sync to do it without them having to login again. So, the only question I guess here is if a user is removed from packager, how can we make sure they are removed from any groups that require packager (I think we may be able to do this in ipa, but not sure, @abompard may know?)

We were talking about it with @abompard yesterday, he said we should probably setup an IPA client in toddlers (and figure out the permissions) and suggested I try to use ipaclient library for it.

Log in to comment on this ticket.

Metadata