#10959 Create a new FAS group for bots that are able to create Bodhi updates
Closed: Fixed with Explanation 2 years ago by kevin. Opened 2 years ago by lachmanfrantisek.

This is a follow-up for the https://pagure.io/fedora-infrastructure/issue/10763.

We are kindly asking for a new FAS group to be created for bots that will be allowed to create a Bodhi update without the need to have dist-git commit rights.

A bit of context:
This is to avoid Packit (or another bot) having commit rights to dist-git to automate Bodhi updates. (The motivation is to reduce the unnecessary power for our FAS users.) Packit does not need a dist-git commit rights since we use pull requests to submit changes and for Koji build, the dist-git commit rights are not required.

Thank you very much!

On behalf of the Packit team
František


Regarding the naming, please use something like updater_bots, or approved_updaters. Ideally something really explicit that this is only about Bodhi updates. The new group should not have any other use. Thanks!

Making users give Packit explicit commit ACLs limits its permissions to just the packages that opt in. This change would allow Packit to submit updates for any package. On a micro level, this removes Packit's need for distgit access for packages that opt in, but all in all, it gives Packit access to a lot more packages than before.

Exactly. And that's why we are asking for the bodhi-only-per-package permissions in the first place. (What is sadly not easily doable.) The question is what is more dangerous -- if having dist-git rights for a set of packages or being able to do updates for all the packages. (And the answer is really not clear, I know.)

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops

2 years ago

Hello!

Can we do something to move this forward?

What do you think? Is it better to stay with the current solution (unneeded dist-git permissions on a set of packages) or go with the new group (global Bodhi access for all packages when just a subset is required)?

Thank you very much in advance!

Well, we are in infrastructure freeze for the f37 final release, so we tend to try and not make changes if we can help it.

That said, if this is blocking you, I can get a freeze exception to get it finished I think. It's a pretty simple change and easy to revert if it causes some kind of problem.

Thanks @kevin !

This isn't blocking us since we can ask users for the dist-git permissions. it's fine to know that the proposal makes sense and will be implemented after the freeze.

As a reminder, after the group is created, the group name must be added in https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/base/templates/production.ini.j2#_633

Let me know if I have to create a PR for that, or if whoever takes care of creating the group will also change the config as well. (I think it's also fine to change the config before the group exists)

ok, done. I created the group, added pakit to it and added it to bodhi config.

I'm pushing out the change in playbooks now and it should be live in a bit.

Let us know if there's anything further to do here.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

2 years ago

Nice! Thank you! That was quick.

Maybe one additional ask, can you please add a packit-stg FAS user as well?
(We use it to dogfood Packit Service on our packages -- we want to have the same environment as we have for prod and use it for regular builds/updates so we can use it every week we release a new version of our packages.)

I'll confirm once we verify it's working. Thanks again!

Hi, I have taken the task to verify the Bodhi integration, we tried creating an update for our packages without explicit commit access to the dist-git and it seems that we are still not allowed to.

I have checked ansible playbook linked above and noticed that there isn't the group for „automated updates“ added:

Group with our bots: bodhi_update_bots
Groups allowed to create updates without commit access: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/base/templates/production.ini.j2#_633

I have created a PR with a change: https://pagure.io/fedora-infra/ansible/pull-request/1285

Could you please have a look and redeploy?

Thanks.

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog