[INFRA-80] Restructure gitolite permissions file Created: 31/Jul/14  Updated: 01/Dec/16  Resolved: 01/Dec/16

Status: Won't Fix
Project: Software Development Infrastructure
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: rhl Assignee: shimono
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Looking at the gitolite config file it appears much more repetitious and hard to maintain than the LSST one.

We should consider simplifying it.

 Comments   
Comment by cloomis [ 31/Jul/14 ]

Wildcards in repo names are disabled. Specifically $GL_WILDCARDS=0 in {{.gitolite.rc}

I understand the security concern about turning that on, but will make the case that it is OK. a) I think you can trust the @admins, and b) the stanza we want to add to all repos is something like:

  RW+                            = @dev
  R                              = @bot
  RW+C                           = @admin
  RWC     tickets/[0-9]+$        = @dev         # Allow creating and pushing to tickets
  RW+C    u/USER/                = @dev         # Allow full control over personal branches
  RW+C    refs/tags/u/USER/      = @dev         # Allow full control over personal tags

We could avoid turning wildcards on and apply those rules to repo @all, then override with:

repo gitolite-admin
   - = @dev

repo www_publications
  RW+D = @all

I think that'd be good. I will not test it until Shimono-san is online, as I can see myself disabling writes to gitolite-admin, and leaving all repos broken....

In the short term, I will add the stanza to drp_stella, ics_mhs_actorcore, ics_mhs_tron, and ics_mhs_config.

Comment by cloomis [ 31/Jul/14 ]

Warning: the

  RW+ = @admin

line allows admins to push any stupid thing (e.g. invalid branch and tag names).

But other than that it looks like it works.

Comment by cloomis [ 31/Jul/14 ]

Added 

  RW+                            = @dev
  R                              = @bot
  RWC     tickets/[0-9]+$        = @dev         # Allow creating and pushing to tickets
  RW+C    u/USER/                = @dev         # Allow full control over personal branches
  RW+C    refs/tags/u/USER/      = @dev         # Allow full control over personal tags

to the four listed products. Note that I removed the @admin rule.

Comment by shimono [ 31/Jul/14 ]

> Specifically $GL_WILDCARDS=0 in {{.gitolite.rc}
not a security reason, but just a default, I think.
only I am afraid of is adding C to @all will make things messy and un-organized.. (ah, of course I need to trust @admin,s, heh..)

anyway, if no strong objection, I'd file new ticket for

  • changing $GL_WILDCARDS
  • adding ics_* drp_* spt_* ets_* pfs_* (targets need to be discussed) to gitolite w/C = @admin
Comment by shimono [ 18/Jul/16 ]

closing this since we moved to github, and operation is under discussion at INFRA-38 or related.

Comment by shimono [ 01/Dec/16 ]

close this. (might be mis-reopened)

Generated at Sat Feb 10 16:49:13 JST 2024 using Jira 8.3.4#803005-sha1:1f96e09b3c60279a408a2ae47be3c745f571388b.