Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build: give a few people access to delete TryBot-Result label, but not change it #21299

Closed
bradfitz opened this issue Aug 3, 2017 · 8 comments
Closed
Labels
Milestone

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Aug 3, 2017

Currently we have a Gerrit group called "trybot-result-changers":

https://go-review.googlesource.com/admin/groups/1025

The intent of that group is that some people can delete TryBot-Result on failed flakes and cause the trybots to re-run.

But the way we implemented that group is this ACL:

(in All-Projects project.config)

[access "refs/heads/*"]
...
        label-Run-TryBot = +0..+1 group approvers
        label-Run-TryBot = +0..+1 group may-start-trybots
        label-TryBot-Result = -1..+1 group trybot-result-changers

I think we want to use this instead:

https://gerrit-review.googlesource.com/Documentation/access-control.html#category_review_labels

For every configured label My-Name in the project, there is a corresponding permission label-My-Name with a range corresponding to the defined values. There is also a corresponding labelAs-My-Name permission that enables editing another user’s label.

We want some people to be able to delete the gopherbot's TryBot-Result label, but not set it themselves.

Is that possible?

Leaving for @andybons

@gopherbot gopherbot added this to the Unreleased milestone Aug 3, 2017
@gopherbot gopherbot added the Builders label Aug 3, 2017
@bradfitz

This comment has been minimized.

Copy link
Contributor Author

@bradfitz bradfitz commented Aug 3, 2017

Btw, the harm in the current system is that the UI is cluttered now and it's too easy to accidentally "vote" on TryBot-Result instead of Run-TryBot:

screen shot 2017-08-03 at 1 38 48 pm

@bradfitz

This comment has been minimized.

Copy link
Contributor Author

@bradfitz bradfitz commented Feb 14, 2018

Andy, did you see this earlier?

@andybons

This comment has been minimized.

Copy link
Member

@andybons andybons commented Feb 14, 2018

I did not. Will take a look. Need to go through all my assigned bugs. 😬

@andybons andybons removed their assignment Sep 18, 2019
@dmitshur

This comment has been minimized.

Copy link
Member

@dmitshur dmitshur commented Nov 20, 2019

/cc @FiloSottile FYI, since you're changing or considering changing Gerrit permissions.

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Nov 20, 2019

Pretty sure I fixed this at some point, and it should not be possible for people to vote TryBot-Result anymore. If that's not the case, please reopen.

image

@bradfitz

This comment has been minimized.

Copy link
Contributor Author

@bradfitz bradfitz commented Nov 20, 2019

That's not what this bug is about.

This bug is about letting people delete TryBot-Result but not change it.

@bradfitz bradfitz reopened this Nov 20, 2019
@bradfitz

This comment has been minimized.

Copy link
Contributor Author

@bradfitz bradfitz commented Nov 20, 2019

Oh, nevermind... this is indeed fixed. I thought you were just showing that you don't have permission to change it, whereas my concern was for people who did have the permission.

But I can see that I can both delete the TryBot-Result label and also not change it.

Let me look through the git history to see when & how that was fixed.

@bradfitz bradfitz closed this Nov 20, 2019
@bradfitz

This comment has been minimized.

Copy link
Contributor Author

@bradfitz bradfitz commented Nov 20, 2019

commit 9a62ff8f7f73852684d6fef26e57e679057ba655
Author: Filippo Valsorda <filippo@golang.org>
Date:   Wed Jun 6 20:48:03 2018 +0000

    Let trybot-result-changers change TryBot-Result
    
    Current permission only lets them cast it on their own behalf.
    
    Change-Id: I90c09cba2e157152de6946f592f9833537841827
    Reviewed-on: https://go-review.googlesource.com/116760
    Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/project.config b/project.config
index b3f86a9..0ab6c4a 100644
--- a/project.config
+++ b/project.config
@@ -52,9 +52,9 @@
        editTopicName = group approvers
        label-Run-TryBot = +0..+1 group approvers
        label-Run-TryBot = +0..+1 group may-start-trybots
-       label-TryBot-Result = -1..+1 group trybot-result-changers
        editHashtags = group approvers
        editHashtags = group gobot
+       labelAs-TryBot-Result = group trybot-result-changers
 [access "refs/meta/config"]
        exclusiveGroupPermissions = read
        read = group Project Owners

and

commit e5f87f16b9926cde199b363057a18b853d9d71c0
Author: Filippo Valsorda <filippo@golang.org>
Date:   Wed Jun 6 23:27:16 2018 +0000

    Restore gobot's permission to cast TryBot-Result
    
    gobot was using its membership of trybot-result-changers to do that,
    but that group was switched to casting the vote on behalf of in
    I90c09cba2e157152de6946f592f9833537841827
    
    Change-Id: I94df0d7c546ecef94f783ff1f175374773ab43cc
    Reviewed-on: https://go-review.googlesource.com/116764
    Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/project.config b/project.config
index 0ab6c4a..c0e2b09 100644
--- a/project.config
+++ b/project.config
@@ -55,6 +55,7 @@
        editHashtags = group approvers
        editHashtags = group gobot
        labelAs-TryBot-Result = group trybot-result-changers
+       label-TryBot-Result = -1..+1 group gobot
 [access "refs/meta/config"]
        exclusiveGroupPermissions = read
        read = group Project Owners

Ah, so it's "labelAs" ... https://gerrit-review.googlesource.com/Documentation/access-control.html#category_review_labels

For every configured label My-Name in the project, there is a corresponding permission label-My-Name with a range corresponding to the defined values. There is also a corresponding labelAs-My-Name permission that enables editing another user’s label.

Update: durr, the same docs I found and replied with two years ago.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.