Learn more about these different git repos.
Other Git URLs
Even if koji-gc has admin permission, it needs additional permission for tags requiring them.
At startup time, koji-gc should know if it has sufficient permissions to do the work and fail if not.
Metadata Update from @tkopecek: - Custom field Size adjusted to None
There is a bit of code earlier in handle_prune that checks to see if koji-gc should use force to untag.
At the moment, it looks like force is still admin-only, so koji-gc should probably only do this if it has admin.
Furthermore, it it should also check for a permission requirement on the tag, and use force if it lacks that permission. I suppose alternately, it would would might make sense for check_tag_access to allow admins to take this action without force even if they don't have the permission explicitly. However, it's longstanding behavior that admins need to use --force in that situation.
check_tag_access
If koji-gc finds it doesn't have sufficient permission to untag from a given tag, then it should just skip the tag with an error message.
Longer term, we probably need to refactor gc quite a bit, but for this case I think we can just adjust the check.
We could introduce a new "garbage-collector" permission that can universally untag and delete any build. The koji-gc server could only have this permission (instead of full admin).
koji-gc
Metadata Update from @tkopecek: - Issue set to the milestone: 1.24 (was: 1.23)
Metadata Update from @tkopecek: - Issue set to the milestone: 1.25 (was: 1.24)
Metadata Update from @tkopecek: - Issue set to the milestone: 1.26 (was: 1.25)
We could introduce a new "garbage-collector" permission that can universally untag and delete any build.
I think this is separable from the problem at hand.
Would the tag/untag portion of this work differently from the existing 'tag' permission?
In the past, I know that people have used this behavior as an easy way to block gc on a tag. Of course the same blocking can be done with gc policy or other gc config, but the latter can't be accomplished with only Koji commands.
Even though this is clearly not a great solution for preventing gc, we might want to provide something similarly easy.
Metadata Update from @tkopecek: - Issue tagged with: testing-ready
Metadata Update from @mfilip: - Issue tagged with: testing-done
Commit e68166b fixes this issue
Login to comment on this ticket.