Add an empty project for an OpenStack base ACL

Presently, the OpenStack release managers have special access
granted over every project in OpenDev's Gerrit due to historical
entries in the All-Projects ACL. These permissions allow creation of
branches, pushing tags and abandoning open changes, and they would
like to add deletion of branches to the mix. It would be ideal, both
for safety and correctness, to only have those permissions apply to
projects in the "openstack/" namespace, and this could be
accomplished with Gerrit's ACL inheritance feature.

Create a new empty repository which serves only as a reference to a
Gerrit ACL, for future use as an inherited base ACL in official
OpenStack projects. It is intentional that this repository lacks
typical change approval rights, an entry in the Zuul config, and so
on, as it should never receive proposed changes nor need to test and
merge them. When copying in the Release Managers group permissions,
replace pushTag with the stricter pushSignedTag since we expect all
tags to be signed (Zuul would ignore unsigned tag events anyway).

Change-Id: Ifb7ef3870b2c2d876a3dbe21a4ad7a930f09ee5c
This commit is contained in:
Jeremy Stanley 2021-03-24 17:36:43 +00:00
parent 4286aa0276
commit b89296fee2
2 changed files with 14 additions and 0 deletions

View File

@ -0,0 +1,12 @@
[access "refs/*"]
abandon = group Release Managers
create = group Release Managers
delete = group Release Managers
pushSignedTag = group Release Managers
[receive]
requireChangeId = true
requireContributorAgreement = true
[submit]
mergeContent = true

View File

@ -3529,6 +3529,8 @@
- masakari
description: Design Specifications for Masakari
acl-config: /home/gerrit2/acls/openstack/masakari.config
- project: openstack/meta-config
description: Empty project providing a base ACL for inheriting
- project: openstack/metalsmith
description: Simple deployment and scheduling tool for bare metal
use-storyboard: true