Hi folks,
We don't currently document the permissions that koji-gc requires at https://docs.pagure.org/koji/utils/#garbage-collector
In Fedora the garbage collector user is "oscar", and it has the following groups:
$ koji --noauth call getUserPerms oscar ['admin', 'infra', 'autosign']
That seems like a lot of high permissions. Are they all necessary?
- Ken
The garbage collector deletes builds. This is an admin-only action.
It also uses untagBuildBypass, which was originally admin-only, but now works with the tag permission.
Note that koji-gc does not normally use the force option for untagging. Due to a quirk in the tag access check, koji-gc will fail to untag from tags that require a permission it does not have (even if it has admin), so it needs to have any perms that are routinely used for tag access. Clearly this is kind of obtuse and we probably ought to make it simpler ;)
On Fri, Apr 24, 2020 at 3:52 PM Ken Dreyer ktdreyer@ktdreyer.com wrote:
Hi folks,
We don't currently document the permissions that koji-gc requires at https://docs.pagure.org/koji/utils/#garbage-collector
In Fedora the garbage collector user is "oscar", and it has the following groups:
$ koji --noauth call getUserPerms oscar ['admin', 'infra', 'autosign']
That seems like a lot of high permissions. Are they all necessary?
- Ken
koji-devel mailing list -- koji-devel@lists.fedorahosted.org To unsubscribe send an email to koji-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.o...
Dne 25. 04. 20 v 3:16 Michael McLean napsal(a):
The garbage collector deletes builds. This is an admin-only action.
It also uses untagBuildBypass, which was originally admin-only, but now works with the tag permission.
Note that koji-gc does not normally use the force option for untagging. Due to a quirk in the tag access check, koji-gc will fail to untag from tags that require a permission it does not have (even if it has admin), so it needs to have any perms that are routinely used for tag access. Clearly this is kind of obtuse and we probably ought to make it simpler ;)
+1 - it is annoying that you need to track new permissions and grant them to koji-gc.
I've created https://pagure.io/koji/issue/2189 for that.
On Fri, Apr 24, 2020 at 3:52 PM Ken Dreyer <ktdreyer@ktdreyer.com mailto:ktdreyer@ktdreyer.com> wrote:
Hi folks, We don't currently document the permissions that koji-gc requires at https://docs.pagure.org/koji/utils/#garbage-collector In Fedora the garbage collector user is "oscar", and it has the following groups: $ koji --noauth call getUserPerms oscar ['admin', 'infra', 'autosign'] That seems like a lot of high permissions. Are they all necessary? - Ken _______________________________________________ koji-devel mailing list -- koji-devel@lists.fedorahosted.org <mailto:koji-devel@lists.fedorahosted.org> To unsubscribe send an email to koji-devel-leave@lists.fedorahosted.org <mailto:koji-devel-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org
koji-devel mailing list -- koji-devel@lists.fedorahosted.org To unsubscribe send an email to koji-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.o...
koji-devel@lists.fedorahosted.org
-
Ken Dreyer -
Michael McLean -
Tomáš Kopeček