New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pagure doesn't expand group membership for ACL purposes, and neither does Bodhi #1810

Closed
bowlofeggs opened this Issue Sep 15, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@bowlofeggs
Member

bowlofeggs commented Sep 15, 2017

We learned today that Pagure no longer expands group members when asked for ACL info. Bodhi also doesn't know all the groups a user is part of, because it only pays attention to special groups (like packager or releng). Since neither end is doing it, Bodhi is now unable to grant access to committers who have ACLs through group membership.

@puiterwijk has proposed adding a new query parameter to Pagure's API that would ask it to again expand group membership for us. If that feature is granted to Pagure then Bodhi could just have a small patch that adds that query parameter to the existing query and be back in business.

Alternatively, there is also a Pagure API that can be used to ask for group members. For example:

{
  "creator": {
    "fullname": "Release Engineering",
    "name": "releng"
  },
  "date_created": "1501864801",
  "description": "Group rpm-software-management-sig",
  "display_name": "rpm-software-management-sig",
  "group_type": "user",
  "members": [
    "releng",
    "ignatenkobrain",
    "jsilhan",
    "mluscon",
    "jmracek",
    "mhatina"
  ],
  "name": "rpm-software-management-sig"
}

Bodhi could use this API to expand group membership as well, though this approach would not perform as well as having Pagure expand membership as proposed above.

@bowlofeggs bowlofeggs added the Critical label Sep 15, 2017

@pypingou

This comment has been minimized.

Show comment
Hide comment
@pypingou

pypingou Sep 27, 2017

Member

I was looking at bodhi's code to see which API endpoint it is calling to help fixing this. As far as I can see it's querying the api/0/ns/project endpoint and afair that endpoint did not change. So I'm not sure what went wrong :(

Member

pypingou commented Sep 27, 2017

I was looking at bodhi's code to see which API endpoint it is calling to help fixing this. As far as I can see it's querying the api/0/ns/project endpoint and afair that endpoint did not change. So I'm not sure what went wrong :(

pypingou added a commit that referenced this issue Sep 27, 2017

Expand the groups when querying pagure
With this commit pagure is asked to provide membership information
in addition to its usual data.
This feature was added in: https://pagure.io/pagure/pull-request/2627

The members of the group with commit or admin access are then simply
added to the list of committers.

Fixes #1810

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

pypingou added a commit that referenced this issue Sep 27, 2017

Expand the groups when querying pagure
With this commit pagure is asked to provide membership information
in addition to its usual data.
This feature was added in: https://pagure.io/pagure/pull-request/2627

The members of the group with commit or admin access are then simply
added to the list of committers.

Fixes #1810

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

pypingou added a commit to pypingou/pagure that referenced this issue Sep 29, 2017

Add the possibility to get the group members when asking the project …
…info

With this commit the /api/0/<project> API endpoint may include a
``group_details`` entry in its returned JSON blob which lists all the
members of the groups linked to this project.

Relates to: https://pagure.io/fedora-infrastructure/issue/6357
Relates to: fedora-infra/bodhi#1810

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

bowlofeggs added a commit to bowlofeggs/bodhi that referenced this issue Oct 9, 2017

Expand the groups when querying pagure
With this commit pagure is asked to provide membership information
in addition to its usual data.
This feature was added in: https://pagure.io/pagure/pull-request/2627

The members of the group with commit or admin access are then simply
added to the list of committers.

Fixes fedora-infra#1810

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

bowlofeggs added a commit that referenced this issue Oct 10, 2017

Expand the groups when querying pagure
With this commit pagure is asked to provide membership information
in addition to its usual data.
This feature was added in: https://pagure.io/pagure/pull-request/2627

The members of the group with commit or admin access are then simply
added to the list of committers.

Fixes #1810

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment