opendev/gerrit
Code Issues Proposed changes

Only consider non-Gerrit refs when computing tag reachability

Browse Source 
Historically, Gerrit was generous when computing tag reachability and
fed all refs into the computation. For Gerrit instances that have a lot
of changes, this is extremely expensive.

This commit changes that behavior and documents it. The motivation is
that every ref that Gerrit manages (changes, meta refs, etc.) is
Gerrit's domain and there is no use case for users to add tags.

For now, orphaned tags are still served to users who have READ on refs/*
and no block rules configured, but that might as well change in the
future.

Change-Id: I4820ea69fc4c90127a9a5615ae63fabb7dd32175
This commit is contained in:
Patrick Hiesel
2019-01-16 08:38:19 +01:00
parent 4cf34d95de
commit a9c11a72be
3 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Documentation/intro-project-owner.txt
View File

@@ -123,6 +123,13 @@ under `refs/heads/` and all tags under `refs/tags/`. In addition there
are a number of link:access-control.html#references_special[special refs]
and link:access-control.html#references_magic[magic refs].
Gerrit only supports tags that are reachable by any ref not owned by
Gerrit. This includes branches (refs/heads/*) or custom ref namespaces
(refs/my-company/*). Tagging a change ref is not supported.
When filtering tags by visibility, Gerrit performs a reachability check
and will present the user ony with tags that are reachable by any ref
they can see.
Access rights can be assigned on a concrete ref, e.g.
`refs/heads/master` but also on ref patterns and regular expressions
for ref names.