#3398 more verbose default policy denials
Merged a month ago by tkopecek. Opened 2 months ago by tkopecek.
tkopecek/koji issue3397  into  master

file modified
+5 -5
@@ -557,23 +557,23 @@ 

  _default_policies = {

      'build_from_srpm': '''

              has_perm admin :: allow

-             all :: deny

+             all :: deny Only admin can do this via default policy

              ''',

      'build_from_repo_id': '''

              has_perm admin :: allow

-             all :: deny

+             all :: deny Only admin can do this via default policy

              ''',

      'build_from_scm': '''

              has_perm admin :: allow

              # match scm_type CVS CVS+SSH && match scm_host scm.example.com && match scm_repository /cvs/example :: allow

              # match scm_type GIT GIT+SSH && match scm_host git.example.org && match scm_repository /example :: allow

              # match scm_type SVN SVN+SSH && match scm_host svn.example.org && match scm_repository /users/* :: allow

-             all :: deny

+             all :: deny Only admin can do this via default policy

              ''',  # noqa: E501

      'package_list': '''

              has_perm admin :: allow

              has_perm tag :: allow

-             all :: deny

+             all :: deny Only admin/tag can do this via default policy

              ''',

      'channel': '''

              has req_channel :: req
@@ -582,7 +582,7 @@ 

              ''',

      'vm': '''

              has_perm admin win-admin :: allow

-             all :: deny

+             all :: deny Only admin/win-admin can do this via default policy

             ''',

      'cg_import': '''

              all :: allow

rebased onto f180105

2 months ago

Might be more succinct to have these denials more like:

  • admin permission required
  • admin or tag permission required
  • admin or win-admin permission required

Note potential interaction with #3407

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 months ago

Metadata Update from @jobrauer:
- Pull-request tagged with: testing-done

2 months ago

Commit eeb6f63 fixes this pull-request

Pull-Request has been merged by tkopecek

a month ago