git fine-grained permissions

Bug #1517559 reported by Andy Whitcroft on 2015-11-18
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Colin Watson
turnip
High
Tom Wardill

Bug Description

We are trying to work out where to place some of our team related repositories. Part of this will be depend on who has control over fine-grained permissions (push to specific refs etc) as part of that team. Will this be the Administrator of the team or all members of this team?

Related branches

Andy Whitcroft (apw) on 2015-11-18
summary: - git fine grained permissions: who will have controll over these when
+ git fine grained permissions: who will have control over these when
associated with a team

Any member of the owning team will have admin access to the repository. A team's administrators only have special privileges over the team itself, not things the team owns.

While we're on the topic, we're starting work on fine-grained permissions. Could you give us some use cases to ensure we meet your desires?

Changed in launchpad:
status: New → Incomplete
Andy Whitcroft (apw) wrote :

I thought we put together a list already. But a brief summary. We want to be able to control various branches and tags such that we can enforce, refs/heads/master to be fast-forward only, refs/heads/master-next to rewindable (as it is rebased a lot legitimatly), and for tags to be immutable once pushed (in general). Many of our repos have more than one rewindable/non-rewindable pair representing lts-backports etc. We also want to be able to limit tags to specific forms if possible. refs/tags/Ubuntu-<version> refs/tags/Ubuntu-lts-<version>. Likely we will want more privileged users who have wider permissions such as being able to delete a tag which was made in error.

Essentially, we want to be able to decide on a ref pattern basis, who can create them, who can update them (fast forward), who can update them (rewind) and who can delete them.

Andy Whitcroft (apw) on 2015-11-30
Changed in launchpad:
status: Incomplete → Confirmed
Robie Basak (racb) wrote :

For the git importer, we want:

1. People who can upload the package to be able to push
refs/tags/upload/* only, and nothing else.

2. The importer user (only) to be able to push anything else anywhere.

The importer is generally fast-forwarding only on all branches, but I'm
not sure it's appropriate for Launchpad to enforce this, as the importer
admins may need to fiddle with it. In this case non fast-forwarding
pushes would come from the importer user, I think? Or we could restrict
them to some other admin group.

Colin Watson (cjwatson) wrote :

Tom Wardill and I are working on this between us.

summary: - git fine grained permissions: who will have control over these when
- associated with a team
+ git fine-grained permissions
Changed in launchpad:
importance: Undecided → High
status: Confirmed → In Progress
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
tags: added: qa-needstesting
Colin Watson (cjwatson) on 2018-10-02
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) wrote :

2018-10-03 02:10:34,674 INFO 2209-85-0 applied just now in 0.2 seconds

tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) wrote :

2018-10-05 20:19:25,823 INFO 2209-85-1 applied just now in 0.1 seconds

The model branch is also safe to deploy as it doesn't expose any new interfaces or behaviour yet.

tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2018-10-12
Changed in launchpad:
status: Fix Committed → In Progress
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2018-10-19
tags: added: qa-ok
removed: qa-needstesting
tags: added: feature git lp-code
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2018-10-19
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2018-10-23
Changed in turnip:
status: New → Fix Committed
assignee: nobody → Tom Wardill (twom)
importance: Undecided → High
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2018-10-23
Changed in turnip:
status: Fix Committed → Fix Released
Launchpad QA Bot (lpqabot) wrote :
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2018-10-24
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Launchpad QA Bot (lpqabot) wrote :
Colin Watson (cjwatson) on 2018-11-10
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2018-12-04
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
description: updated
Colin Watson (cjwatson) on 2019-01-09
description: updated
Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2019-01-10
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2019-01-10
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers