[devops] clean up gerrit permissions

Hello Dmitry,

> Every project must has its access fully defined in projects.yaml.
could you please clarify why it's a must for you?

Hello Igor,

The reason I've requested that is to keep all the permissions in a single place. If you want people to change gerrit config themselves, you must show it all together at first. Otherwise, it becomes _very_ unclear what to change and which changes trigger what.

For example, you should be able to create *-core group merely by copy-pasting such existing group. Sounds simple, isn't it? But because some of the config is hard coded inside the gerrit, you can't simply copy paste ACL for the project. You will have to find and copy such internal configuration, which a regular user should never have do, because it is just too complicated.

I think bug https://bugs.launchpad.net/fuel/+bug/1406764 is a nice illustration of the problem.

The bug you have linked looks like a bug.

In project-configs repo I see the following:

^_^ [teran@escape|03:07:32:~/Documents/Development/git/fuel-infra/project-configs]$ git blame neutron/neutron.config
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 1) [access "refs/heads/*"]
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 2) abandon = group neutron-core
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 3) label-Code-Review = -2..+2 group neutron-core
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 4) label-Workflow = -1..+1 group neutron-core
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 5) rebase = group neutron-core
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 6) submit = group neutron-core
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 7) [receive]
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 8) requireChangeId = true
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 9) [access]
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 10) inheritFrom = openstack
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 11) [submit]
b3b64021 (Andrey Nikitin 2014-10-24 15:41:20 +0400 12) mergeContent = true

So we have ACL for neutrong project and all you see in https://review.fuel-infra.org/#/admin/projects/openstack/neutron,access is true but set by jeepyb from this ACL.

So it looks like it was done by design :)

Igor,

I agree that #1406764 was an unrelated glitch and it was fixed. But let me clarify my initial complain - if you take a look at the following line in config.yaml

https://review.fuel-infra.org/gitweb?p=fuel-infra/jeepyb-config.git;a=blob;f=projects.yaml;h=3338dde5f2214c50309a60f995b90c49c41e1c74;hb=6ccda105d8740d2ace8bd8c6636ba640aced8f50#l4976

you will see that project openstack/neutron does not have 'acl-config' property set. But miraculously the project is accessible and neutron cores can merge into it.

It doesn't have to be specified directly to work.

I will fix it.

Permissions was updated.