We recently had a requirement that builds of a particular package should
only be managed by package owners (owner derived from the [package,tag]
pair) (Just to clear any possible confusion, I do NOT mean the build
owner, but the package owner)
Initially, I had assumed that only package owners can schedule builds of
their package, but a quick look at the code yielded nothing to prove the
assumption. So, I created a random user and verified that he can build
and tag packages.
Then, I looked at whether I can write a policy to this effect. But, none
of the tests that were already there seemed to provide the
functionality. So, I hacked up a patch to add a test.
With this patch in place, I can add a like "is_package_owner :: allow"
to allow only package owners to build. the policy spec in
my /etc/koji-hub/hub.conf looks like this now:
has_perm admin :: allow
is_package_owner :: allow
all :: deny
Do let me know whether it is sane and makes sense.
(The patch is NOT taken against the git HEAD, but it should apply easily
with some fuzz)
From f10b458131c5a1aa75f97e2cb458051630918f04 Mon Sep 17 00:00:00 2001
From: Jitesh Shah <jiteshs(a)marvell.com>
Date: Wed, 28 Oct 2009 17:20:01 +0530
Subject: [PATCH] Add own policy spec
Signed-off-by: Jitesh Shah <jiteshs(a)marvell.com>
hub/kojihub.py | 20 ++++++++++++++++++++
1 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/hub/kojihub.py b/hub/kojihub.py
index a281b5e..ef1c364 100644
@@ -4443,6 +4443,26 @@ class IsBuildOwnerTest(koji.policy.BaseSimpleTest):
+ """Check if user owns the build"""
+ name = "is_package_owner"
+ def run(self, data):
+ build = get_build(data['build'])
+ pkg_id = get_package_id(koji.parse_NVR(build['nvr'])['name'],
+ tag = get_tag(data['tag'])
+ pkgs = readPackageList(tagID=tag['id'], pkgID=pkg_id, inherit=True)
+ owner_id = pkgs.get(pkg_id,None)['owner_id']
+ owner = get_user(owner_id)
+ user = get_user(data['user_id'])
+ if owner_id == user['id']:
+ return True
+ if owner['usertype'] == koji.USERTYPES['GROUP']:
+ # owner is a group, check to see if user is a member
+ if owner['id'] in koji.auth.get_user_groups(user['id']):
+ return True
+ return False
"""Check if user is in group(s)