I have no objection to adding this...

+1

@lucab I found the file where we can update the policies: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift/project/templates/role-appowners.yml

do you want to submit a patch to infrastructure@lists.fedoraproject.org ?

@dustymabe, @lucab would you like to submit a patch for that ? Otherwise this is something that we are likely not going to work on any time soon.

let's see what @lucab says

Patch up at https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/U6NE6QQ5FWZWCFGJPLS4DAJGLVG6ZJRZ/.

Sidenote: the openshift-apps flow here IMHO is less than stellar. Starting from "I want to deploy a container on staging" I crossed the "here is our ticketing system" landmark and ended up in the "I'm blind-updating the RBAC for the whole infra via git send-email" for an authZ update (that I didn't setup, I have no knowledge on the rules, and I can't test).

Well, sorry we didn't get to this sooner... but as you know, we are busy.

Thanks for taking the time to track this down. I will try and test it today.

I rolled this out it seemed to work for me with some simple tests.

Can you test it out and confirm it's working? If not, please re-open and we will look more...

I just tried on the staging cluster and cancel-build still fails:

$ oc cancel-build coreos-cincinnati-stub-68
error: build coreos-cincinnati/coreos-cincinnati-stub-68 failed to update: builds.build.openshift.io "coreos-cincinnati-stub-68" is forbidden: User "lucab" cannot update builds.build.openshift.io in the namespace "coreos-cincinnati": no RBAC policy matched
error: failure during the build cancellation

Hum. Did you run your apps playbook again since the change? I think it needs that to add the perms to the app owner...

Indeed, just re-running my playbook updated the perms. Cancellation (on that specific project) works now.

Great.