#6482 fix bodhi buildroot overrides with secure-boot packages
Closed: Fixed 6 years ago Opened 8 years ago by kevin.

Currently if you try and make a bodhi buildroot override with any of the packages in the 'secure-boot' koji permission it fails with a:

"Override : Unable to save buildroot override: policy violation (tag)"

This is because the bodhi user doesn't have 'secure-boot' perms in koji and the hub permissions require that to tag a package in that list.

Options to fix:

  • Grant bodhi the 'secure-boot' permission. This should fix this issue, but is it granting it too many perms?

  • Adjust the koji hub permissions so that bodhi is allowed to add secure-boot packages only to *override tags.

  • Some other solution.

Note that bodhi does have the 'admin' permission in koji currently, so it could also just --force the tag, but it's desired to actually remove this permission from bodhi so I didn't list that as a solution.


Metadata Update from @kevin:
- Issue set to the milestone: Fedora 25 Alpha
- Issue tagged with: meeting

7 years ago

we will make a chaneg to the hug policy https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n112 to allow bodhi to tag the packages into overrides tags

Metadata Update from @ausil:
- Issue untagged with: meeting
- Issue close_status updated to: None

7 years ago

Metadata Update from @ausil:
- Issue assigned to ausil

7 years ago

@mohanboddu will confirm that this is fixed with @bowlofeggs

Metadata Update from @syeghiay:
- Issue assigned to mohanboddu (was: ausil)

6 years ago

[10:35] ( Kellin) bowlofeggs: did mboddu get with you RE: https://pagure.io/releng/issue/6482
[10:38] ( bowlofeggs) Kellin: he did not, but i also have no way to know if that is fixed or not
[10:38] ( bowlofeggs) Kellin: i don't have ACLs on any secure boot packages
[10:41] ( Kellin) bowlofeggs: is this something we could test in staging environment?
[10:42] ( bowlofeggs) Kellin: the staging environment does do BROs too, so yes in theory, but again i don't have ACLs

09:47 ( Kellin) so I have a question about something from yesterday
09:48 ( Kellin) bowlofeggs: who would give you the ACLs for secure boot packages?
10:26 ( bowlofeggs) Kellin: an admin of a secure boot package can presumably give ACLs to others
10:26 ( bowlofeggs) Kellin: or if you manage to add a new package to fedora that is a secure boot package for whatever reason, you become the admin
10:36 ( Kellin) bowlofeggs: so somehow I don't know that you personally want that, but maybe some kind of bodhi admin-ish account that can do it?
10:37 ( bowlofeggs) Kellin: i'm not sure what you mean - but yeah, i'm not trying to be a secure boot package maintainer
10:38 ( bowlofeggs) Kellin: i also don't know what you mean by "can do it"
11:22 ( nb) bowlofeggs, i believe releng has to give you secureboot perm in koji
11:23 ( bowlofeggs) Kellin: ^ 11:30 * Kellin blinks. OK, I will talk to mboddu and see if he knows that too hehe :)
11:30 ( Kellin) thanks nb

@mohanboddu says we can test giving ACLs in stage. He will update this ticket after testing.

@mohanboddu reports that this is working:

Wed Sep 28 16:15:55 2016 permission secure-boot granted to bodhi by kevin [still active]

See https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n87

Closing ticket. Please reopen if issue still exists.

Metadata Update from @syeghiay:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Log in to comment on this ticket.

Metadata