fedora-infrastructure

Clone
Source Code
GIT

#7420 Give cvsadmin permissions to push to any package
Closed: Fixed 5 years ago by kevin. Opened 5 years ago by mohanboddu.

Closed: Fixed
Reopen Issue
  • Describe what you need us to do:
    Previously cvsadmin people can be able to push to any packages in dist-git.
    From irc, chatting with @puiterwijk:
[15:55:54] <mboddu> puiterwijk: I am not able to find "unsupported" in the output of fedpkg push, but doesn't cvsadmin allows you to push to dist-git?
[15:56:02] »» mboddu did it all the time
[15:57:24] <mboddu> puiterwijk: I have done it before, recent one - https://src.fedoraproject.org/rpms/python-deap/c/616e0f0415ec65f82c6e6d17ba644d93dd75f4f5?branch=master
[15:57:35] <puiterwijk> It could be that that was implicit, that wasn't in the config nor in the ACL code
[15:58:39] <puiterwijk> So if we agree that cvsadmin is supposed to be able to push (dunno, up to someone to decide), that needs to be configured.
[15:59:15] <mboddu> puiterwijk: Okay
[16:00:35] <puiterwijk> mboddu: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/distgit/pagure/templates/pagure_shared.cfg#n100
[16:00:50] <puiterwijk> that,s where that would need to be configured

  • When do you need this? (YYYY/MM/DD)
    ASAP

  • When is this no longer needed or useful? (YYYY/MM/DD)

  • If we cannot complete your request, what is the impact?
    releng user uses this cvsadmin permissions to push to dist-git during mass rebuild.
    Without this, mass rebuild will fail.

Only sidely related since @mohanboddu is in both group, but the old gitolite config was allowing the releng user for mass-rebuild: https://pagure.io/pagure-dist-git/blob/f525187af2d0e7974dc6704e869470764fc425c3/f/dist_git_auth.py#_104

Looking at this file cvsadmin isn't mentioned (which tbh surprises me as I thought cvsadmin were always allowed to commit to fix package un-correctly orphaned/retired)

Until recently sysadmin-cvs (not cvsadmin) were allowed to commit to any repo, but this changed with migration away from Gitolite.

I thought it was cvsadmin since releng user is part of cvsadmin not sysadmin-cvs

[11:20:48] <+mboddu> .fasinfo releng
[11:20:49] <zodbot> mboddu: User: releng, Name: Fedora Release Engineering, email: releng-team@fedoraproject.org, Creation: 2016-01-21, IRC Nick: None, Timezone: UTC, Locale: en, GPG key ID: None, Status: active
[11:20:52] <zodbot> mboddu: Approved Groups: @relenggroup cvsadmin fedorabugs packager cla_done cla_fpca

From what I know:

  • @mohanboddu used to have full access to all repositories due to membership of sysadmin-cvs, sysadmin-releng and packager groups.
  • @releng was granted partial access to subset of repositories, through a different mechanism - per-repository Gitolite config.
  • cvsadmin membership did not grant access to repositories, but gave (and still gives) admin privileges in Pagure (web interface and API).

Metadata Update from @pingou:
- Issue tagged with: src.fp.o
5 years ago

Metadata Update from @bowlofeggs:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
5 years ago

I think this was fixed in ansible 6c68095f3363b543032d239cf0894604487a9932

If not, please re-open.

:mailbox_with_mail:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None

src.fp.o

None
None
Waiting on Assignee
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.