Re: ActionNotAllowed: policy violation - but why?
Steve Traylen wrote:
On Fri, May 8, 2009 at 4:04 PM, Mike Bonnet <mikeb(a)redhat.com>
wrote:
> Steve Traylen wrote:
>> On Fri, May 8, 2009 at 11:52 AM, Steve Traylen <steve(a)traylen.net> wrote:
>>> Hi,
>>>
>>> I was reliably building on a tag before but now receive
>>> ActionNotAllowed: policy violation
>> A little bit more.
>>
>> ActionNotAllowed: policy violation -- all :: deny
> What version of Koji are you running? I believe there was a bug in earlier
> versions that caused a missing "policy" entry in /etc/koji-hub/hub.conf to
> result in denials of everything. That should be fixed in 1.3.1.
> Alternately you could add a policy entry to allow building from srpm into
> the dist-centos4 tag:
>
> [policy]
> build_from_srpm =
> tag dist-centos4 :: allow
> has_perm admin :: allow
> all :: deny
>
Hi Mike,
I'm running stock FC10.
koji-hub-1.3.1-1.fc10.noarch
koji-1.3.1-1.fc10.noarch
koji-web-1.3.1-1.fc10.noarch
koji-utils-1.3.1-1.fc10.noarch
koji-builder-1.3.1-1.fc10.noarch
I've not had had any [policy] in the hub.conf file up to now
and things have been okay, i.e I could build from cvs and svn
for instance which I did yesterday. It's just building from srpm that has
been blocked but I have not tried that in a while so that may have been the
before the recent upgrade.
Actually I was wrong, if no policy is present the default policy forbids
building from srpm by anyone but an admin (this is for consistency with
previous versions of Koji). But this is now overrideable with custom
policy, whereas it was hard-coded before.
Certainly making a very open policy
[policy]
build_from_srpm =
tag dist-centos4 :: allow
has_perm admin :: allow
all :: all
and then things proceed, I'll tune that now.
More generally now about policies. Do you have some description on these
and what can be set? If nothing exists if you can give me something brief then
I'll try and write something up for the wiki.
Unfortunately the policy stuff is not well-documented at the moment, but
we're working on fixing that. It is actually a very powerful mechanism
that allows you to control what types of source repositories you can
build from, setup elaborate building and tagging policy, etc. We'll get
some basic documentation onto the fedoraproject.org wiki soon, and any
help expanding on it at that point would be appreciated.
As it happens I'm giving a presentation in a weeks time to my
colleagues
on mock, koji and mash and certainly any content (e.g diagrams) I produce I'll
write up in a generic way for inclusion in documentation.
That'd be great!
Thanks again
Steve
>> Steve
>>
>>> and can't seem shake it or understand why for a particular package
>>> Is is possible
>>> to get an explanation?
>>>
>>> http://skoji.cern.ch/koji/taskinfo?taskID=2918
>>>
>>> This is following a build as CN=straylen
>>>
>>> koji build --nowait dist-centos4 ../SRPMS/mpich-1.2.7p1-2.el4.src.rpm
>>>
>>> My permissions.
>>>
>>> id | name | password | status | usertype | krb_principal
>>> ----+----------+----------+--------+----------+---------------
>>> 1 | straylen | | 0 | 0 |
>>>
>>> and user_id=1 does not appear in user_perms . i.e I am
>>> a boring user.
>>>
>>> The package has been added.
>>>
>>> koji list-pkgs --tag=dist-centos4 --package=mpich
>>> Package Tag Extra Arches Owner
>>> ----------------------- ----------------------- ----------------
>>> ---------------
>>> mpich dist-centos4 straylen
>>>
>>>
>>> Thanks again for the help.
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>