#792 Different perms for image-build with or without --scratch
Opened 6 years ago by jbieren. Modified 4 years ago

Hello,

Is there any way to give the proper rights for a user to do image-build --scratch, but forbid normal image-build? In essence, allow scratch image builds, but continue to disallow official image builds. If not, can it be added?

Thanks


There is not. Nor is there there a similar feature for other types of builds.

This is possibly something worth considering when we add finer grained permissions, but I don't see this particular case as something we'd address independently.

Perhaps you can go into some detail about why you want this? Image builds, scratch or not, can do a number of things that are high-trust, which is the main reason there is a separate permission at all.

I see.

The reason why I want this is I would like to be able to create scratch builds of images for running tests, but don't need permission to create official builds (nor do people want to grant those rights, as that could end up being received by others without knowing it was just a test build).

This is one of the use cases in #327.

Until that lands, scratch image builders will need the image permission. I suggest that workflows make of of tagging (which has robust access controls) as an additional step in "official" build workflows.

Metadata Update from @mikem:
- Issue close_status updated to: Duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @dgregor:
- Custom field Size adjusted to None
- Issue status updated to: Open (was: Closed)

4 years ago

@mikem I've re-opened this and would like to use it to track the scratch build (image or otherwise) use case of finer-grained permissions

Login to comment on this ticket.

Metadata