#46 Branch ACLs
Opened 5 years ago by immanetize. Modified 7 months ago

I'd like to permit or deny commit access to users or groups per-branch.

For example:
Unknown users/groups: read only
members of "docs" groups: can create new branches (if they don't match $pattern) and write to all but some specified branches.
members of "docs-writers": can write to the specified branches.
members of "docs-publishers": can write to "production" branch.


Reading this there are two requests in one:

  • support branch ACLs
  • support groups

I feel that the first one will be easier than the second

Wondering what the workflow is that you have in mind that needs seperate branch ACLs.

Pagure is currently using the PR model as the way for people to easily get their changes merged, and just wondering how this fits in with the suggested branch permissions.

In an "enterprise" environment, we do not want to bother with forks... as a result, branch ACLs are required to restrict merge requests to only "lieutenants" which are allowed to confirm operation when quality gates are passed.

(Repost from other ticket, sorry...)

What goes around comes around, I guess...

We originally dropped them because Pagure didn't support it, but it'd be awesome to have Pagure offer that feature, as it's something most forges don't have.

I had actually discussed this with @mattdm at RH Summit 2017 just before we flipped the switch to go to Pagure. I don't know if he ever said anything to @pingou about it.

We would need branch ACLs for CentOS SIG branches in git.centos.org, is there a roadmap to add this feature?

@apevec : as you saw that in 2018, there are now automatic ACLs for protected branches, but that is verified by repospanner, so not pagure itself.
That automatic ACL permits SIGs (for git.centos.org) to have RWC rights on specific branches .

But that happens at the repospanner level, so Pagure doesn't even know this.
Now I guess your question is more like : what about PR against a specific branch ?

Example : pkg rpms/openstack-cinder
automatic ACL : sig-cloud group so sig-cloud* permitted branches through repospanner.
Someone forks in in pagure, commit/push back and then open a PR in pagure : how would pagure authorize someone from sig-cloud group to automatically be able to merge that PR ?
Does that summarize your question ? (assuming that I got it right ...)

Now I guess your question is more like : what about PR against a specific branch ?
Example : pkg rpms/openstack-cinder
automatic ACL : sig-cloud group so sig-cloud* permitted branches through repospanner.
Someone forks in in pagure, commit/push back and then open a PR in pagure : how would pagure authorize someone from sig-cloud group to automatically be able to merge that PR ?
Does that summarize your question ? (assuming that I got it right ...)

Yes, that's exactly the use case we'd like to see working in CentOS pagure instance. Members of sig-cloud should be able to approve and merge PRs in sig-cloud owned branches coming from any user.

@pingou : I don't think that pagure currently supports that feature . So worth asking @amoralej to create a new [RFE] ticket for this ? (just wondering)

This is definitely something different than this ticket and thus should be tracked elsewhere indeed :)

This is definitely something different than this ticket and thus should be tracked elsewhere indeed :)

https://pagure.io/pagure/issue/4533 let me know if it's properly explained

Now that we can deploy pagure without gitolite, I think we can think about this feature and how to implement it.

Login to comment on this ticket.

Metadata