opendev/jeepyb
Code Issues Proposed changes

Don't create new groups for system ones

Browse Source 
A Gerrit bug[1] allowed manage_projects to create a Gerrit
internal group with the same name as a system group
('Registered Users').  This happened after upgrading to
Gerrit 2.11 because there are existing projects with 'Registered
Users' in acls config files.  Even though Gerrit shouldn't allow
creation of a group with the same name as a system group,
manage_projects shouldn't even attempt to do it.

This change prevents manage_projecsts from creating
groups with the same name as Gerrit system groups.  It
will also add correct entries to group files for system groups.
Below is the group file entries that Gerrit expects for
system groups:

global:Anonymous-Users                  	Anonymous Users
global:Change-Owner                     	Change Owner
global:Project-Owners                   	Project Owners
global:Registered-Users                 	Registered Users

For backward compatibility, the existing group UUID will be returned
if one is found in the database.

[1] https://code.google.com/p/gerrit/issues/detail?id=3831

Change-Id: I17d6e1a5553f98ff910480d41a2ac7b3a2522809
This commit is contained in:
Mathieu Gagné
2015-11-19 21:16:13 -05:00
committed by Khai Do
parent a2d4e2f92f
commit 0adaee5977
1 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
jeepyb/cmd/manage_projects.py
View File

@@ -71,6 +71,16 @@ registry = u.ProjectsRegistry()
log = logging.getLogger("manage_projects")
# Gerrit system groups as defined:
# https://review.openstack.org/Documentation/access-control.html#system_groups
# Need to set Gerrit system group's uuid to the format it expects.
GERRIT_SYSTEM_GROUPS = {
'Anonymous Users': 'global:Anonymous-Users',
'Project Owners': 'global:Project-Owners',
'Registered Users': 'global:Registered-Users',
'Change Owner': 'global:Change-Owner',
}
class FetchConfigException(Exception):
pass
@@ -202,7 +212,16 @@ def push_acl_config(project, remote_url, repo_path, gitid, env=None):
def _get_group_uuid(group):
"""Wait for up to 10 seconds for the group to be created in the DB."""
"""
Gerrit keeps internal user groups in the DB while it keeps systems
groups in All-Projects groups file (in refs/meta/config). This
will only get the UUIDs for internal user groups.
Note: 'Administrators', 'Non-Interactive Users' and all other custom
groups in Gerrit are defined as internal user groups.
Wait for up to 10 seconds for the group to be created in the DB.
"""
query = "SELECT group_uuid FROM account_groups WHERE name = %s"
con = jeepyb.gerritdb.connect()
for x in range(10):
@@ -221,6 +240,8 @@ def get_group_uuid(gerrit, group):
uuid = _get_group_uuid(group)
if uuid:
return uuid
if group in GERRIT_SYSTEM_GROUPS:
return GERRIT_SYSTEM_GROUPS[group]
gerrit.createGroup(group)
uuid = _get_group_uuid(group)
if uuid:
@@ -549,9 +570,10 @@ def main():
GERRIT_KEY = registry.get_defaults('gerrit-key')
GERRIT_GITID = registry.get_defaults('gerrit-committer')
GERRIT_REPLICATE = registry.get_defaults('gerrit-replicate', True)
GERRIT_SYSTEM_USER = registry.get_defaults('gerrit-system-user', 'gerrit2')
GERRIT_SYSTEM_GROUP = registry.get_defaults('gerrit-system-group',
'gerrit2')
GERRIT_OS_SYSTEM_USER = registry.get_defaults('gerrit-system-user',
'gerrit2')
GERRIT_OS_SYSTEM_GROUP = registry.get_defaults('gerrit-system-group',
'gerrit2')
DEFAULT_HOMEPAGE = registry.get_defaults('homepage')
DEFAULT_HAS_ISSUES = registry.get_defaults('has-issues', False)
DEFAULT_HAS_DOWNLOADS = registry.get_defaults('has-downloads', False)
@@ -610,7 +632,7 @@ def main():
# Create the repo for the local git mirror
create_local_mirror(
LOCAL_GIT_DIR, project_git,
GERRIT_SYSTEM_USER, GERRIT_SYSTEM_GROUP)
GERRIT_OS_SYSTEM_USER, GERRIT_OS_SYSTEM_GROUP)
if not os.path.exists(repo_path) or project_created:
# We don't have a local copy already, get one