#2189 koji-gc needs additional permissions for locked tags
Closed: Fixed 2 years ago by tkopecek. Opened 3 years ago by tkopecek.

Even if koji-gc has admin permission, it needs additional permission for tags requiring them.


At startup time, koji-gc should know if it has sufficient permissions to do the work and fail if not.

Metadata Update from @tkopecek:
- Custom field Size adjusted to None

3 years ago

There is a bit of code earlier in handle_prune that checks to see if koji-gc should use force to untag.

At the moment, it looks like force is still admin-only, so koji-gc should probably only do this if it has admin.

Furthermore, it it should also check for a permission requirement on the tag, and use force if it lacks that permission. I suppose alternately, it would would might make sense for check_tag_access to allow admins to take this action without force even if they don't have the permission explicitly. However, it's longstanding behavior that admins need to use --force in that situation.

If koji-gc finds it doesn't have sufficient permission to untag from a given tag, then it should just skip the tag with an error message.

Longer term, we probably need to refactor gc quite a bit, but for this case I think we can just adjust the check.

We could introduce a new "garbage-collector" permission that can universally untag and delete any build. The koji-gc server could only have this permission (instead of full admin).

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.24 (was: 1.23)

3 years ago

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.25 (was: 1.24)

3 years ago

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.26 (was: 1.25)

2 years ago

We could introduce a new "garbage-collector" permission that can universally untag and delete any build.

I think this is separable from the problem at hand.

Would the tag/untag portion of this work differently from the existing 'tag' permission?

In the past, I know that people have used this behavior as an easy way to block gc on a tag. Of course the same blocking can be done with gc policy or other gc config, but the latter can't be accomplished with only Koji commands.

Even though this is clearly not a great solution for preventing gc, we might want to provide something similarly easy.

Metadata Update from @tkopecek:
- Issue tagged with: testing-ready

2 years ago

Metadata Update from @mfilip:
- Issue tagged with: testing-done

2 years ago

Login to comment on this ticket.

Metadata
Related Pull Requests
  • #2876 Closed 2 years ago