#3323 Do not build if you cannot tag
Opened 4 months ago by pingou. Modified 2 months ago

If an user builds a package against a tag that they cannot tag the build into, the build succeed and the tagging fails (as expected).

For example: https://cbs.centos.org/koji/taskinfo?taskID=2765941

The issue is that the build succeeded so the NVR is now recorded in koji's DB, thus preventing anyone from building it again :(

Would it be possible to start making use of the build policy mentioned in: https://docs.pagure.org/koji/permissions/#other so that we can prevent builds from happening when the user does not have permissions to tag the build?

Thanks!


Permission is not right thing here (and that is the reason why it is not used there). If we want to do this we should add new policy with same data as build_from_srpm which would apply also to SCM builds. Does it sound usable? (https://docs.pagure.org/koji/defining_hub_policies/#available-policies)

Metadata Update from @tkopecek:
- Custom field Size adjusted to None

4 months ago

@tkopecek don't see in that doc a simple example to restrict build operations ?
or you mean something in the new build_from_scm policy and combining tags and permissions ?

So

build_from_scm =
  tag <name> && has_perm <required_perm> :: allow
  all :: deny

in our case <required_perm> is a new perm that has specific users and also we use "Required permissions: <required_perm>" on tags (that's how tag-build operations are allowed/denied btw

As koji is already doing such check at the tag-build operation, I thought it would (when someone submits a build for a specific target) check destination tag and check permission, instead of letting the build happen and just check perms after and so fails at the end. That's the reason why we thought a RFE to implement that check would be the ideal solution initially :)

I was thinking about merging these policies together (build_from_srpm and non-existent build_from_scm) to build which would have another boolean data for testing "from_scm" for testing. In such case it could look like:

build = 
  bool from_scm !! deny                # forbid any builds from uploaded srpms
  bool skip_tag :: allow                   # allow builds which will not get tagged anywhere explicitely ("koji build --skip-tag ...")
  has_perm <perm> :: allow         # allow some privileged group
  match target <target_name> :: allow # based on target name
  all :: deny

There is not (now) available destination tag. Only target's name. But we can add also a simple test for destination tag if it is worth that.

using target name is good enough, as long as we can combine as we have quite some tags/targets and we'd like to not define manually this, but rather but a j2 template deployed by our ansible role

But if something like following example would be supported, it would be indeed awesome as we can just have a {%for %} jinja2 loop to duplicate pattern for each supported SIG (and so targets)

build = 
   match target <target_name> && has_perm <required_perm> :: allow  

merging build_from_srpm and creating a new build policy would be "interesting" though , as long as it's not a breaking change ? I guess it would still parse build_from_srpm (if defined, so like previous config working) and use build one if defined (but people willing to use it would have to change their config)

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.30

3 months ago

Login to comment on this ticket.

Metadata
Related Pull Requests
  • #3407 Last updated 4 days ago