Groups have similar names in LP and gerrit but are no longer synced

Bug #1160277 reported by Thierry Carrez on 2013-03-26
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Core Infrastructure
Fix Released
Medium
Thierry Carrez

Bug Description

Some groups (-core, -drivers...) are now maintained in gerrit, but their membership is not synced to Launchpad.

If the groups are similar they should be synced. If the groups are different they should be named differently. If a group is useless it should be removed.

*-core, openstack-*-maint:
Those groups are used for review permissions, as well as for bug subscription (mostly around security bugs). Solution (1) is to sync from Gerrit to LP, solution (2) is to remove the groups from LP completely.

*-drivers:
Those groups are used for project management in launchpad, as well as some review permissions in gerrit. Solution (1) is to sync from gerrit to LP, solution (2) is to have two separate groups: *-drivers used in LP and *-??? used in Gerrit. Those could have slightly different membership since they cover two different sets of permissions.

openstack-admins:
This group is the owner of all things in LP. Don't know what it's used for in Gerrit. I'd suggest removing it from gerrit if it's not used there... If it is, solution (1) is to sync from Gerrit to LP, solution (2) is to have separate groups (openstack-lp-janitors in LP, openstack-admins in Gerrit)

openstack-release:
Used in LP to add "release managers" to all drivers teams, not sure what it's used for in gerrit (which has "release managers" as a separate group). Action tbd

Thierry Carrez (ttx) on 2013-03-26
summary: - Need sync (or separation) for -drivers groups
+ Groups have similar names in LP and gerrit but are no longer synced
Jeremy Stanley (fungi) wrote :

We had an outstanding action item from a couple infra meetings ago to rename *-drivers to *-milestone, and create new *-ptl groups with tag push access. I was going to start looking into that today, though it's going to require a coordinated ACL config change and database update query across all projects, so will interrupt code review at least briefly and will likely need to be announced/scheduled.

As for the openstack-*-maint groups for diablo and essex, I have just created those in Gerrit per bug 1160269.

Jeremy Stanley (fungi) wrote :

As an update, the .*-drivers groups in Gerrit have all been renamed now and documentation modified accordingly, so this should address some of the confusion. https://review.openstack.org/25423

Jeremy Stanley (fungi) wrote :

And yesterday we merged https://review.openstack.org/25806 to adjust Gerrit ACLs for official OpenStack projects to limit client tagging responsibility to their corresponding .*-ptl groups.

Changed in openstack-ci:
assignee: nobody → Jeremy Stanley (fungi)
status: New → In Progress
importance: Undecided → Medium
Jeremy Stanley (fungi) wrote :

I still need to update the project group management wiki article with details on the .*-ptl groups.

Do we still want to remove *-core and openstack-*-maint from LP? I may not have the necessary account permissions to do this.

Do we still want to remove openstack-admins and openstack-release from Gerrit? If so, I'll go ahead and take care of it.

Thierry Carrez (ttx) wrote :

> Do we still want to remove *-core and openstack-*-maint from LP? I may not have the necessary
> account permissions to do this.

At the very minimum they should be renamed *-securitycontacts in LP to avoid confusion.

> Do we still want to remove openstack-admins and openstack-release from Gerrit? If so, I'll go ahead and take care of it.

If they are not used withing gerrit for rights, yes they should be removed.

Jeremy Stanley (fungi) wrote :

It looks like the openstack-diablo-maint team is owned by Dave Walker and so OpenStack Administrators will be unable to delete it.

The openstack-essex-maint and official *-core teams seem to be owned by OpenStack Administrators and thus should be deletable/renamable (just not by me).

The openstack-admins group in Gerrit is still used in the ACL for the openstack-planet project, so we need to decide if this should be switched to a more appropriate group of maintainers: https://review.openstack.org/#/admin/projects/openstack/openstack-planet,access

And the openstack-release group in Gerrit is still used in the global All-Projects ACL: https://review.openstack.org/#/admin/projects/All-Projects,access Did we want that switched to use the Release Team group there instead (in which case I should duplicate the current openstack-release members into it too)?

James E. Blair (corvus) wrote :

Let's create a planet-core group and ACL for planet.

Your plan for the release team sounds good.

Jeremy Stanley (fungi) wrote :

I have shored up the Release Managers group membership to contain all accounts represented in the old openstack-release group, added the former to the All-Projects ACL, removed and cleared the latter. I also have a corresponding documentation update up for review ( https://review.openstack.org/34462 ).

I've proposed a change to use the openstack-planet-core group in place of the old openstack-admins group ( https://review.openstack.org/34452 ) and will clear the old one similarly once that merges and manage-projects runs to update the ACL. The openstack-planet-core group already exists and has mostly the same members, but was not being used in any ACL.

Stefano Maffulli (smaffulli) wrote :

I don't think we need this team https://launchpad.net/~openstack-planet-core/+members anymore, we can send it to the digital dustbin

Jeremy Stanley (fungi) wrote :

Gerrit cleanup is complete. We still need a member of OpenStack Administrators to delete:

    https://launchpad.net/~openstack-planet-core
    https://launchpad.net/~openstack-essex-maint

And we need Dave Walker to delete:

    https://launchpad.net/~openstack-diablo-maint

James E. Blair (corvus) on 2013-07-30
Changed in openstack-ci:
assignee: Jeremy Stanley (fungi) → Thierry Carrez (ttx)
Thierry Carrez (ttx) wrote :

I removed ~openstack-planet-core.

For openstack-{essex,diablo}-maint, they have a mailing-list associated, which causes removal pain. We may actually use that ML to post bitrot job fails, please doublecheck before we can proceed with ML removal. Then the groups themselves can be removed, as they contain only one member (Daviey).

CCed Daviey to get his opinion on this.

Mark McLoughlin (markmc) wrote :

bug #1217097 is about confusion surrounding glance-core in launchpad not being the same thing as glance-core in gerrit

Thierry Carrez (ttx) wrote :

The only use for PROJECT-core those days is as group ACL to access security bugs. We should replace them with PROJECT-coresec which would be a subset of core members interested in helping in security bugs. That way we keep the benefit and remove the confusion.

Mark McLoughlin (markmc) wrote :

Sounds good

Thierry Carrez (ttx) wrote :

Teams with active PPAs with packages published and may not be renamed... so I need to go through all -core teams and clean up their PPAs first. Sigh

Thierry Carrez (ttx) wrote :

Posted the plan to openstack-dev, will proceed in a couple of days if nobody objects.

Thierry Carrez (ttx) wrote :

All core groups migrated to coresec so there is no duplication about that.
Will open a separate bug for the last duplicated group: openstack-stable-maint

Changed in openstack-ci:
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

Actually openstack-stable-maint could just be removed, so we are done

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers