PR#3407: build policy - koji

koji

#3407 build policy

Merged a year ago by tkopecek. Opened 2 years ago by tkopecek.

tkopecek/koji issue3323 into master

Tomas Kopecek • a year ago

e9ebe22

builder/kojid

file modified

		`@@ -1032,17 +1032,22 @@`
		`'task_id': self.id,`
		`'build_tag': build_tag, # id`
		`'skip_tag': bool(self.opts.get('skip_tag')),`
		`+ 'scratch': opts.get('scratch'),`
		`+ 'from_scm': SCM.is_scm_url(src),`
		`+ 'repo_id': opts.get('repo_id'),`
		`}`
		`if target_info:`
		`policy_data['target'] = target_info['name']`
		`if not self.opts.get('skip_tag'):`
		`policy_data['tag'] = dest_tag # id`
		`+ # backward-compatible deprecated policies (TODO: remove in 1.33)`
		`if not SCM.is_scm_url(src) and not opts.get('scratch'):`
		`# let hub policy decide`
		`self.session.host.assertPolicy('build_from_srpm', policy_data)`
		`if opts.get('repo_id') is not None:`
		`# use of this option is governed by policy`
		`self.session.host.assertPolicy('build_from_repo_id', policy_data)`
		`+ self.session.host.assertPolicy('build_rpm', policy_data)`
		`if not repo_info:`
		`repo_info = self.getRepo(build_tag, builds=opts.get('wait_builds'),`
		`wait=opts.get('wait_repo')) # (subtask)`

docs/source/access_controls.rst

file modified

+5 -2

		`@@ -51,9 +51,12 @@`
		`* cg_import: control which content generator imports are allowed`
		`* vm: control which windows build tasks are allowed`
		`* dist_repo: control which distRepo tasks are allowed`
		`- * build_from_srpm: control whether builds from srpm are allowed`
		+ * build_rpm: control whether builds are allowed, this is superceding older ``build_from_srpm``
		+ to handle all task types. ``build_from_srpm`` and ``build_from_repo_id`` are now
		`+ deprecated and will be removed in koji 1.33. Default policy allows everything.`
		`+ * build_from_srpm [deprecated]: control whether builds from srpm are allowed`
		`* build_from_scm: control whether builds from the SCM are allowed and the behavior of the SCM`
		`- * build_from_repo_id: control whether builds from user-specified repos ids are allowed`
		`+ * build_from_repo_id [deprecated]: control whether builds from user-specified repos ids are allowed`

		`Note that not all policies are access control policies.`
		The ``channel`` and ``volume`` policies are used to control which channels tasks go to

hub/kojixmlrpc.py

file modified

		`@@ -557,6 +557,9 @@`


		`_default_policies = {`
		`+ 'build_rpm': '''`
		`+ all :: allow`
		`+ ''',`
		`'build_from_srpm': '''`
		`has_perm admin :: allow`
		`all :: deny Only admin can do this via default policy`

tkopecek commented 2 years ago

New 'build' policy replacing 'build_from_srpm' and 'build_from_repo_id'.

rebased onto 379284d595e2b627fe711d184df4c21956674ac5

2 years ago

mikem commented 2 years ago

The default policy is missing actions for the sub policy lines.

I started to say that the default policy needs further adjustment too, but after looking at it, I'm not sure how easily we can accomplish backwards compatibility this way.

policies used with {assert,check}_policy expect results of the form "(allow|deny) <reason>" and warn if the first word is anything else
policies used with PolicyTest only check if result.lower() in ('yes', 'true', 'allow') and do not handle reason
I don't see a simple, clean way to propagate the reason out of the subpolicy

mikem commented 2 years ago

Kinda wonder if the policy should be named more specifically since it is only called for rpm builds (which, granted, have 'build' as the task method name)

mikem commented 2 years ago

Before I realized you were referencing the old policies in the new default, I was thinking that we should maintain the old codepath (deprecated) for a bit to maintain compat. That is still an option, though I don't think there's a good way in kojid to check which policies are defined. Still, something like this is another way we could go.

rebased onto 6ed878a72ce6da89e0b175f403450376579c2efe

2 years ago

pretty please pagure-ci rebuild

2 years ago

mikem commented 2 years ago

The changes I see since last review are to rename the new policy to build_rpm and to add actions to subpolicy check lines in said policy.

This still doesn't address the backwards compatibility issue that stems from the fact that invoking a policy as a subpolicy (via the policy test) has different behavior than invoking a policy via {assert,check}_policy. In particular, any use of reason args in the actions of the subpolicy will not work correctly. If a policy includes an allow with a reason, it will be treated as false result.

tkopecek commented 2 years ago

Hmm, finally got it :-) It would mean adding new policy aka "check_policy". Is it worth it or should we just leave those old policies for now?

mikem commented 2 years ago

I think the shortest path to a working, backwards compatible implementation is to preserve the old policy calls, but recommend that folks use the build policy instead of the older ones.

mikem commented 2 years ago

We might eventually want deprecate the old policies and tell people they have to migrate

rebased onto bc3f4a45734b44279a3f15fbdec3829c9f6b5948

2 years ago

tkopecek commented 2 years ago

I've moved new policy call below the original ones and reset their default values to 'allow', so if policy is defined, it can forbid the execution before build_rpm, otherwise default rules of build_rpm behave same as original rules before. So, it should be backwards-compatible now.

mikem commented a year ago

This looks much more straightforward, but the default build_rpm policy as defined will deny all non-scratch builds for non-admins.

rebased onto 49a8c54da27ac666ec02cf99dd9245e973e63e0b

a year ago

tkopecek commented a year ago

Ok, I've changed it to allow :: all

mikem commented a year ago

Current changes to default policies remove past checks that block non-scratch srpm builds and repo_id builds for non-admins. We need to either:

keep those checks in the default build_from_{srpm,repo_id} policies and leave build_rpm as allow :: all
migrate those checks to the new build_rpm policy, leaving the old policies defaulting to allow all

If we want to put the checks on build_rpm, I think we'd need the following:

'build_rpm' : '''
    bool from_srpm :: {
        bool scratch !! {
            has_perm admin !! deny Only admin can do this via default policy
            }
        }
    bool repo_id :: {
        has_perm admin !! deny Only admin can do this via default policy
        }
    '''

Unfortunately, the limits of policy syntax and the parity of our flags to check make the check a little obtuse.

Leaving the checks where the were for now would be the most compatible, but of course we know we want to phase those policies out. Still, could be sensible to start slow.

rebased onto 445254caf76a84838cf941e1719435829375778d

a year ago

rebased onto fb3d4c52d1a6441de294d69b62123d03df9dce63

a year ago

tkopecek commented a year ago

I'm for the first option - otherwise we will have to make another announcement that default policies are changed.

Btw, I've changed line bool from_srpm :: { to bool from_scm !! {

mikem commented a year ago

I'm for the first option - otherwise we will have to make another announcement that default policies are changed.

Indeed. And we'd also need a detailed migration note for people that are currently using non-default policies (if we go with option 2).

Btw, I've changed line bool from_srpm :: { to bool from_scm !! {

Good catch, but I'm confused. I thought you wanted to go with option 1.

While we'll eventually need force people to migrate, it might be nice to have a release where the build_rpm policy is an optional new feature rather than an incompatible change.

Edited a year ago by mikem

rebased onto eea503c3f6b2aca696c230082ada9c95502ffa4d

a year ago

mikem commented a year ago

Description of the old policies still says "default is now allow to not block build_rpm policy".

Other than that, lgtm

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

a year ago

rebased onto e9ebe22

a year ago