opendev/gerrit
Code Issues Proposed changes

Rename 'Push Annotated/Signed Tag' permission to 'Create Annotated/Signed Tag'

Browse Source 
Each tag type requires a special permission for the tag creation:
- Lightweight tags require 'Create Reference'
- Annontated tags require 'Push Annotated Tag'
- Signed tags require 'Push Signed Tag'

This naming is inconsistent and may be confusing. E.g. whether tags
can be updated is controlled by the 'Push' permission on 'refs/tags/*'
and not by the 'Push Annotated/Signed Tag' permission, as some users
might expect.

This change includes a schema migration that renames the permissions
for creating annotated/signed tags.

Permission rules in project.config that use the old names are still
respected. They are automatically converted when the project config is
saved the next time. This is needed so that multi-master sites can do
a multi-step-migration:

1. First upgrade all hosts to the new binary:
   Projects may still contain permissions with the old names,
   new permissions are saved with the new names.
2. Run a background job on all hosts that migrates the permissions for
   all projects to the new names:
   Projects do not contain permissions with the old names,
   new permissions are saved with the new names.
3. Upgrade all hosts to a binary that doesn't respect the old names
   anymore.

The migration for schema 130 is rewritten because ProjectConfig no
longer allows to change the force flag for 'pushTag' without
converting it to 'createTag'.

Change-Id: I839be24f82a908b5184f15e746f3588a0d397b7e
Signed-off-by: Edwin Kempin <ekempin@google.com>
This commit is contained in:
Edwin Kempin
2016-09-05 14:32:38 +02:00
committed by David Pursehouse
parent 5554c61ca9
commit 62c156857e
17 changed files with 241 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gerrit-server/src/main/java/com/google/gerrit/server/project/CreateTag.java
View File

@@ -116,7 +116,7 @@ public class CreateTag implements RestModifyView<ProjectResource, TagInput> {
if (isSigned) {
throw new MethodNotAllowedException(
"Cannot create signed tag \"" + ref + "\"");
} else if (isAnnotated && !refControl.canPerform(Permission.PUSH_TAG)) {
} else if (isAnnotated && !refControl.canPerform(Permission.CREATE_TAG)) {
throw new AuthException("Cannot create annotated tag \"" + ref + "\"");
} else if (!refControl.canPerform(Permission.CREATE)) {
throw new AuthException("Cannot create tag \"" + ref + "\"");