Launchpad itself

git fine-grained permissions

Bug #1517559 reported by Andy Whitcroft
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Colin Watson
turnip
Fix Released
High
Tom Wardill

Bug Description

We are trying to work out where to place some of our team related repositories. Part of this will be depend on who has control over fine-grained permissions (push to specific refs etc) as part of that team. Will this be the Administrator of the team or all members of this team?

Related branches

lp:~cjwatson/launchpad/db-git-permissions
William Grant: Approve (db)
Stuart Bishop: Pending (db) requested
Diff: 72 lines (+68/-0)
1 file modified
database/schema/patch-2209-85-0.sql (+68/-0)
lp:~cjwatson/launchpad/git-permissions-model
William Grant: Approve (code)
Diff: 1268 lines (+1055/-5)
13 files modified
lib/lp/code/configure.zcml (+29/-0)
lib/lp/code/enums.py (+21/-0)
lib/lp/code/interfaces/gitrepository.py (+24/-0)
lib/lp/code/interfaces/gitrule.py (+178/-0)
lib/lp/code/model/gitrepository.py (+70/-0)
lib/lp/code/model/gitrule.py (+208/-0)
lib/lp/code/model/tests/test_gitrepository.py (+124/-1)
lib/lp/code/model/tests/test_gitrule.py (+221/-0)
lib/lp/registry/personmerge.py (+39/-1)
lib/lp/registry/tests/test_personmerge.py (+72/-2)
lib/lp/security.py (+40/-0)
lib/lp/testing/factory.py (+25/-0)
scripts/close-account.py (+4/-1)
lp:~cjwatson/launchpad/db-git-activity
William Grant: Approve (db)
Stuart Bishop: Pending (db) requested
Diff: 66 lines (+33/-0)
3 files modified
database/schema/patch-2209-85-1.sql (+29/-0)
database/schema/security.cfg (+2/-0)
lib/lp/registry/model/person.py (+2/-0)
lp:~cjwatson/launchpad/git-activity-model
William Grant: Approve (code)
Diff: 960 lines (+621/-22)
13 files modified
lib/lp/code/configure.zcml (+13/-0)
lib/lp/code/enums.py (+23/-1)
lib/lp/code/interfaces/gitactivity.py (+135/-0)
lib/lp/code/interfaces/gitrepository.py (+9/-2)
lib/lp/code/interfaces/gitrule.py (+11/-4)
lib/lp/code/model/gitactivity.py (+145/-0)
lib/lp/code/model/gitrepository.py (+16/-2)
lib/lp/code/model/gitrule.py (+17/-3)
lib/lp/code/model/tests/test_gitactivity.py (+48/-0)
lib/lp/code/model/tests/test_gitrepository.py (+15/-4)
lib/lp/code/model/tests/test_gitrule.py (+177/-4)
lib/lp/security.py (+10/-0)
lib/lp/testing/factory.py (+2/-2)
lp:~cjwatson/launchpad/git-permissions-notifications
William Grant: Approve (code)
Diff: 610 lines (+301/-31)
10 files modified
database/schema/security.cfg (+1/-0)
lib/lp/code/adapters/gitrepository.py (+8/-3)
lib/lp/code/interfaces/gitactivity.py (+7/-1)
lib/lp/code/interfaces/gitrepository.py (+3/-1)
lib/lp/code/mail/branch.py (+26/-9)
lib/lp/code/model/gitactivity.py (+11/-0)
lib/lp/code/model/gitjob.py (+64/-5)
lib/lp/code/model/gitrepository.py (+4/-2)
lib/lp/code/model/tests/test_gitjob.py (+139/-1)
lib/lp/code/model/tests/test_gitrepository.py (+38/-9)
lp:~cjwatson/launchpad/git-grant-limitedview
William Grant: Approve (code)
Diff: 122 lines (+57/-3)
4 files modified
lib/lp/code/interfaces/gitcollection.py (+7/-1)
lib/lp/code/model/gitcollection.py (+15/-1)
lib/lp/registry/tests/test_private_team_visibility.py (+28/-1)
lib/lp/security.py (+7/-0)
lp:~cjwatson/launchpad/git-permissions-webservice-ref
William Grant: Approve (code)
Diff: 1291 lines (+875/-24)
12 files modified
lib/lp/_schema_circular_imports.py (+4/-0)
lib/lp/app/webservice/marshallers.py (+62/-2)
lib/lp/app/webservice/tests/test_marshallers.py (+77/-3)
lib/lp/code/configure.zcml (+21/-4)
lib/lp/code/interfaces/gitref.py (+41/-8)
lib/lp/code/interfaces/gitrule.py (+26/-0)
lib/lp/code/model/gitref.py (+32/-1)
lib/lp/code/model/gitrule.py (+101/-3)
lib/lp/code/model/tests/test_gitref.py (+189/-0)
lib/lp/code/model/tests/test_gitrule.py (+301/-0)
lib/lp/services/fields/__init__.py (+14/-2)
lib/lp/services/webservice/configure.zcml (+7/-1)
lp:~cjwatson/launchpad/git-permissions-webservice-repository
William Grant: Approve (code)
Diff: 887 lines (+590/-28)
8 files modified
lib/lp/_schema_circular_imports.py (+6/-1)
lib/lp/code/configure.zcml (+5/-0)
lib/lp/code/interfaces/gitrepository.py (+46/-0)
lib/lp/code/interfaces/gitrule.py (+15/-0)
lib/lp/code/model/gitrepository.py (+65/-1)
lib/lp/code/model/gitrule.py (+55/-5)
lib/lp/code/model/tests/test_gitrepository.py (+378/-0)
lib/lp/registry/tests/test_personmerge.py (+20/-21)
lp:~cjwatson/launchpad/git-permissions-personmerge-whitelist
Colin Watson (community): Approve
Diff: 14 lines (+4/-0)
1 file modified
lib/lp/registry/personmerge.py (+4/-0)
lp:~twom/launchpad/branch-permissions-for-gitapi
Colin Watson (community): Approve
Diff: 909 lines (+824/-0)
6 files modified
lib/lp/code/interfaces/gitapi.py (+6/-0)
lib/lp/code/interfaces/gitrepository.py (+10/-0)
lib/lp/code/model/gitrepository.py (+15/-0)
lib/lp/code/model/tests/test_gitrepository.py (+125/-0)
lib/lp/code/xmlrpc/git.py (+91/-0)
lib/lp/code/xmlrpc/tests/test_git.py (+577/-0)
lp:~twom/launchpad/branch-permissions-empty-default
Colin Watson (community): Approve
Diff: 213 lines (+127/-14)
2 files modified
lib/lp/code/xmlrpc/git.py (+9/-11)
lib/lp/code/xmlrpc/tests/test_git.py (+118/-3)
lp:~twom/launchpad/rework-git-permissions-for-shadowing
Colin Watson (community): Approve
Diff: 959 lines (+190/-682)
3 files modified
lib/lp/code/interfaces/gitapi.py (+3/-2)
lib/lp/code/xmlrpc/git.py (+40/-45)
lib/lp/code/xmlrpc/tests/test_git.py (+147/-635)
lp:~cjwatson/launchpad/git-permission-type
William Grant: Approve (code)
Diff: 274 lines (+124/-21)
5 files modified
lib/lp/code/enums.py (+14/-0)
lib/lp/code/interfaces/gitrule.py (+10/-1)
lib/lp/code/model/gitrule.py (+31/-2)
lib/lp/code/model/tests/test_gitrule.py (+55/-0)
lib/lp/code/xmlrpc/git.py (+14/-18)
lp:~cjwatson/launchpad/git-permissions-vocabulary
William Grant: Approve (code)
Diff: 366 lines (+261/-18)
6 files modified
lib/lp/code/interfaces/gitrule.py (+18/-0)
lib/lp/code/model/gitjob.py (+17/-8)
lib/lp/code/model/gitrule.py (+3/-9)
lib/lp/code/vocabularies/configure.zcml (+12/-1)
lib/lp/code/vocabularies/gitrule.py (+108/-0)
lib/lp/code/vocabularies/tests/test_gitrule_vocabularies.py (+103/-0)
lp:~cjwatson/launchpad/git-grantee-widgets
William Grant: Approve (code)
Diff: 783 lines (+708/-3)
6 files modified
lib/lp/code/browser/widgets/gitgrantee.py (+245/-0)
lib/lp/code/browser/widgets/templates/gitgrantee.pt (+27/-0)
lib/lp/code/browser/widgets/tests/test_gitgrantee.py (+305/-0)
lib/lp/code/interfaces/gitrepository.py (+7/-1)
lib/lp/code/model/gitrepository.py (+12/-1)
lib/lp/code/model/tests/test_gitrepository.py (+112/-1)
lp:~cjwatson/launchpad/git-repository-getRule
Tom Wardill (community): Approve
Launchpad code reviewers: Pending requested
Diff: 72 lines (+26/-3)
4 files modified
lib/lp/code/interfaces/gitrepository.py (+7/-0)
lib/lp/code/model/gitref.py (+1/-3)
lib/lp/code/model/gitrepository.py (+4/-0)
lib/lp/code/model/tests/test_gitrepository.py (+14/-0)
lp:~cjwatson/launchpad/git-setGrants-doc
William Grant: Approve (code)
Diff: 54 lines (+24/-2)
2 files modified
lib/lp/code/interfaces/gitref.py (+19/-1)
lib/lp/code/interfaces/gitrule.py (+5/-1)
lp:~twom/launchpad/widen-performLookup-account-for-grants
Colin Watson (community): Approve
Diff: 93 lines (+52/-3)
2 files modified
lib/lp/code/xmlrpc/git.py (+10/-3)
lib/lp/code/xmlrpc/tests/test_git.py (+42/-0)
lp:~cjwatson/launchpad/git-checkRefPermissions-macaroon
Colin Watson (community): Approve
Diff: 208 lines (+129/-12)
2 files modified
lib/lp/code/xmlrpc/git.py (+27/-8)
lib/lp/code/xmlrpc/tests/test_git.py (+102/-4)
lp:~cjwatson/launchpad/git-permissions-check-api
William Grant: Approve (code)
Diff: 405 lines (+203/-60)
7 files modified
lib/lp/code/interfaces/gitref.py (+13/-0)
lib/lp/code/interfaces/gitrepository.py (+30/-0)
lib/lp/code/model/gitref.py (+8/-0)
lib/lp/code/model/gitrepository.py (+73/-2)
lib/lp/code/model/tests/test_gitref.py (+27/-0)
lib/lp/code/model/tests/test_gitrepository.py (+45/-0)
lib/lp/code/xmlrpc/git.py (+7/-58)
lp:~cjwatson/launchpad/git-permissions-ui-edit
William Grant: Approve (code)
Diff: 1630 lines (+1417/-7)
7 files modified
lib/lp/code/browser/configure.zcml (+6/-0)
lib/lp/code/browser/gitrepository.py (+525/-5)
lib/lp/code/browser/tests/test_gitrepository.py (+641/-2)
lib/lp/code/interfaces/gitrule.py (+4/-0)
lib/lp/code/model/gitrule.py (+7/-0)
lib/lp/code/model/tests/test_gitrule.py (+2/-0)
lib/lp/code/templates/gitrepository-permissions.pt (+232/-0)
lp:~twom/launchpad/git-permissions-activity-view
Colin Watson (community): Approve
Diff: 297 lines (+214/-2)
6 files modified
lib/lp/code/browser/configure.zcml (+6/-0)
lib/lp/code/browser/gitrepository.py (+27/-1)
lib/lp/code/browser/tests/test_gitrepository.py (+74/-0)
lib/lp/code/interfaces/gitrepository.py (+8/-0)
lib/lp/code/model/gitrepository.py (+20/-1)
lib/lp/code/templates/gitrepository-activity.pt (+79/-0)
lp:~cjwatson/launchpad/git-permissions-non-unicode-refs
Tom Wardill (community): Approve
Launchpad code reviewers: Pending requested
Diff: 180 lines (+100/-12)
4 files modified
lib/lp/code/interfaces/gitrepository.py (+2/-1)
lib/lp/code/model/gitrepository.py (+5/-1)
lib/lp/code/xmlrpc/git.py (+24/-5)
lib/lp/code/xmlrpc/tests/test_git.py (+69/-5)
~cjwatson/turnip:non-ascii-ref-permissions
Tom Wardill (community): Approve
Launchpad code reviewers: Pending requested
Diff: 521 lines (+181/-49)
6 files modified
turnip/pack/hookrpc.py (+11/-7)
turnip/pack/hooks/hook.py (+20/-13)
turnip/pack/tests/fake_servers.py (+4/-1)
turnip/pack/tests/test_functional.py (+48/-10)
turnip/pack/tests/test_hookrpc.py (+39/-12)
turnip/pack/tests/test_hooks.py (+59/-6)
~twom/turnip:use-subprocess-for-ancestor-force-push
Colin Watson (community): Approve
Diff: 156 lines (+31/-22)
3 files modified
turnip/pack/hookrpc.py (+0/-1)
turnip/pack/hooks/hook.py (+14/-11)
turnip/pack/tests/test_hooks.py (+17/-10)
~twom/turnip:branch-permissions-for-gitapi
Colin Watson (community): Approve
Diff: 851 lines (+419/-83)
10 files modified
packbackendserver.tac (+4/-1)
turnip/pack/git.py (+15/-4)
turnip/pack/helpers.py (+27/-10)
turnip/pack/hookrpc.py (+30/-9)
turnip/pack/hooks/hook.py (+79/-17)
turnip/pack/tests/test_functional.py (+108/-2)
turnip/pack/tests/test_helpers.py (+6/-4)
turnip/pack/tests/test_hooks.py (+144/-33)
turnip/pack/tests/test_http.py (+2/-2)
turnipserver.py (+4/-1)
Andy Whitcroft (apw)
summary: - git fine grained permissions: who will have controll over these when
+ git fine grained permissions: who will have control over these when
associated with a team
Revision history for this message
William Grant (wgrant) wrote : Re: git fine grained permissions: who will have control over these when associated with a team

Any member of the owning team will have admin access to the repository. A team's administrators only have special privileges over the team itself, not things the team owns.

While we're on the topic, we're starting work on fine-grained permissions. Could you give us some use cases to ensure we meet your desires?

Changed in launchpad:
status: New → Incomplete
Revision history for this message
Andy Whitcroft (apw) wrote :

I thought we put together a list already. But a brief summary. We want to be able to control various branches and tags such that we can enforce, refs/heads/master to be fast-forward only, refs/heads/master-next to rewindable (as it is rebased a lot legitimatly), and for tags to be immutable once pushed (in general). Many of our repos have more than one rewindable/non-rewindable pair representing lts-backports etc. We also want to be able to limit tags to specific forms if possible. refs/tags/Ubuntu-<version> refs/tags/Ubuntu-lts-<version>. Likely we will want more privileged users who have wider permissions such as being able to delete a tag which was made in error.

Essentially, we want to be able to decide on a ref pattern basis, who can create them, who can update them (fast forward), who can update them (rewind) and who can delete them.

Andy Whitcroft (apw)
Changed in launchpad:
status: Incomplete → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

For the git importer, we want:

1. People who can upload the package to be able to push
refs/tags/upload/* only, and nothing else.

2. The importer user (only) to be able to push anything else anywhere.

The importer is generally fast-forwarding only on all branches, but I'm
not sure it's appropriate for Launchpad to enforce this, as the importer
admins may need to fiddle with it. In this case non fast-forwarding
pushes would come from the importer user, I think? Or we could restrict
them to some other admin group.

Revision history for this message
Colin Watson (cjwatson) wrote :

Tom Wardill and I are working on this between us.

summary: - git fine grained permissions: who will have control over these when
- associated with a team
+ git fine-grained permissions
Changed in launchpad:
importance: Undecided → High
status: Confirmed → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18785 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18785) is part of this bug's fix.

Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
tags: added: qa-needstesting
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r13955 in db-stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/13955) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Colin Watson (cjwatson) wrote :

2018-10-03 02:10:34,674 INFO 2209-85-0 applied just now in 0.2 seconds

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18790 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18790) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r13960 in db-stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/13960) is part of this bug's fix.

Revision history for this message
Colin Watson (cjwatson) wrote :

2018-10-05 20:19:25,823 INFO 2209-85-1 applied just now in 0.1 seconds

The model branch is also safe to deploy as it doesn't expose any new interfaces or behaviour yet.

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18794 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18794) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Larry muters (lawrencemuters8)
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18795 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18795) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18796 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18796) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18797 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18797) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18798 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18798) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18799 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18799) is part of this bug's fix.

Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
tags: added: feature git lp-code
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18801 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18801) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18802 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18802) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18803 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18803) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18805 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18805) is part of this bug's fix.

Colin Watson (cjwatson)
Changed in turnip:
status: New → Fix Committed
assignee: nobody → Tom Wardill (twom)
importance: Undecided → High
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18806 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18806) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18808 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18808) is part of this bug's fix.

Colin Watson (cjwatson)
Changed in turnip:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18809 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18809) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18810 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18810) is part of this bug's fix.

Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18817 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18817) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18820 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18820) is part of this bug's fix.

Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18830 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18830) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18853 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18853) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Peter Petrakovic (pepe-invest)
description: updated
Colin Watson (cjwatson)
description: updated
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18855 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18855>.

Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.