Proposed new Ironic core structure

Ironic is considering a two-tier structure, separating permission to approve/workflow patches from the ability to core-review vote. The final state is intended to be: - All existing active ironic-cores go into ironic-approvers - ironic-approvers goes into ironic-reviewers - anyone approved later can get added to ironic-reviewers In terms of permissions, the desired state is: - ironic-approvers are the only team that can approve patches for landing - ironic-reviewers are allowed to core review and do most other core activities except the final workflow to land code As a transition, I'm leaving the ironic-core group in the ACLs. Once the new group is created, populated, and working, we can rename the old one to reflect its disuse. I've also, as a result of auditing the core groups for other Ironic projects and seeing some of them out of date, am unifying more ironic-related projects into the same ACL configuration. The now disused old core groups for those projects will also be renamed to reflect their disuse when completed. Change-Id: I7fea059274ffd8635e426e82882a3076527464eb
2024-10-09 14:12:27 -07:00 · 2024-10-09 14:12:27 -07:00 · dd6c0bcd91
commit dd6c0bcd91
parent ca58782737
12 changed files with 26 additions and 211 deletions
--- a/gerrit/acls/openstack/ironic-inspector.config
+++ b/gerrit/acls/openstack/ironic-inspector.config
@ -1,57 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group ironic-inspector-core
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group ironic-core
 	label-Code-Review = -2..+2 group ironic-inspector-core
 	label-Workflow = -1..+1 group ironic-core
 	label-Workflow = -1..+1 group ironic-inspector-core
 	toggleWipState = group ironic-core
 	toggleWipState = group ironic-inspector-core
 [access "refs/heads/bugfix/*"]
 	abandon = group Change Owner
 	abandon = group Project Bootstrappers
 	abandon = group ironic-stable-maint
 	abandon = group stable-maint-core
 	delete = group ironic-release
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-stable-maint
 	label-Code-Review = -2..+2 group stable-maint-core
 	label-Code-Review = -1..+1 group Registered Users
 	label-Workflow = -1..+0 group Change Owner
 	label-Workflow = -1..+1 group Project Bootstrappers
 	label-Workflow = -1..+1 group ironic-stable-maint
 	label-Workflow = -1..+1 group stable-maint-core
 	toggleWipState = group ironic-stable-maint
 	toggleWipState = group stable-maint-core
 [access "refs/heads/stable/*"]
 	abandon = group Change Owner
 	abandon = group Project Bootstrappers
 	abandon = group ironic-stable-maint
 	abandon = group stable-maint-core
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-stable-maint
 	label-Code-Review = -2..+2 group stable-maint-core
 	label-Code-Review = -1..+1 group Registered Users
 	label-Workflow = -1..+0 group Change Owner
 	label-Workflow = -1..+1 group Project Bootstrappers
 	label-Workflow = -1..+1 group ironic-stable-maint
 	label-Workflow = -1..+1 group stable-maint-core
 	toggleWipState = group ironic-stable-maint
 	toggleWipState = group stable-maint-core
 [access "refs/tags/*"]
 	createSignedTag = group ironic-release
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/ironic-specs.config
+++ b/gerrit/acls/openstack/ironic-specs.config
@ -1,16 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group ironic-specs-core
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group ironic-specs-core
 	label-Workflow = -1..+1 group ironic-specs-core
 	toggleWipState = group ironic-specs-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/ironic-ui.config
+++ b/gerrit/acls/openstack/ironic-ui.config
@ -1,19 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group ironic-ui-core
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group ironic-core
 	label-Code-Review = -2..+2 group ironic-ui-core
 	label-Workflow = -1..+1 group ironic-core
 	label-Workflow = -1..+1 group ironic-ui-core
 	toggleWipState = group ironic-core
 	toggleWipState = group ironic-ui-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/ironic.config
+++ b/gerrit/acls/openstack/ironic.config
@ -2,38 +2,49 @@
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group ironic-approvers
 	abandon = group ironic-core
 	editHashtags = group Registered Users
 	label-Backport-Candidate = -1..+1 group ironic-core
 	label-Backport-Candidate = -1..+1 group ironic-reviewers
 	label-Code-Review = -2..+2 group ironic-core
 	label-Code-Review = -2..+2 group ironic-reviewers
 	label-Workflow = -1..+1 group ironic-approvers
 	label-Workflow = -1..+1 group ironic-core
 	toggleWipState = group ironic-core
 	toggleWipState = group ironic-reviewers
 [access "refs/heads/bugfix/*"]
 	abandon = group Change Owner
 	abandon = group Project Bootstrappers
 	abandon = group ironic-approvers
 	abandon = group ironic-stable-maint
 	abandon = group stable-maint-core
 	delete = group ironic-release
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-reviewers
 	label-Code-Review = -2..+2 group ironic-stable-maint
 	label-Code-Review = -2..+2 group stable-maint-core
 	label-Code-Review = -1..+1 group Registered Users
 	label-Workflow = -1..+0 group Change Owner
 	label-Workflow = -1..+1 group Project Bootstrappers
 	label-Workflow = -1..+1 group ironic-approvers
 	label-Workflow = -1..+1 group ironic-stable-maint
 	label-Workflow = -1..+1 group stable-maint-core
 	toggleWipState = group ironic-reviewers
 	toggleWipState = group ironic-stable-maint
 	toggleWipState = group stable-maint-core
 [access "refs/heads/stable/*"]
 	abandon = group Change Owner
 	abandon = group Project Bootstrappers
 	abandon = group ironic-approvers
 	abandon = group ironic-stable-maint
 	abandon = group stable-maint-core
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-reviewers
 	label-Code-Review = -2..+2 group ironic-stable-maint
 	label-Code-Review = -2..+2 group stable-maint-core
 	label-Code-Review = -1..+1 group Registered Users
@ -51,10 +62,12 @@
 	abandon = group ironic-unmaintained-core
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-reviewers
 	label-Code-Review = -2..+2 group ironic-unmaintained-core
 	label-Code-Review = -1..+1 group Registered Users
 	label-Workflow = -1..+0 group Change Owner
 	label-Workflow = -1..+1 group Project Bootstrappers
 	label-Workflow = -1..+1 group ironic-approvers
 	label-Workflow = -1..+1 group ironic-unmaintained-core
 [access "refs/tags/*"]
--- a/gerrit/acls/openstack/metalsmith.config
+++ b/gerrit/acls/openstack/metalsmith.config
@ -1,15 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group metalsmith-core
 	editHashtags = group metalsmith-core
 	label-Code-Review = -2..+2 group metalsmith-core
 	label-Workflow = -1..+1 group metalsmith-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/networking-generic-switch.config
+++ b/gerrit/acls/openstack/networking-generic-switch.config
@ -1,34 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group ironic-core
 	abandon = group networking-generic-switch-core
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group ironic-core
 	label-Code-Review = -2..+2 group networking-generic-switch-core
 	label-Workflow = -1..+1 group ironic-core
 	label-Workflow = -1..+1 group networking-generic-switch-core
 [access "refs/heads/stable/*"]
 	abandon = group Change Owner
 	abandon = group Project Bootstrappers
 	abandon = group ironic-stable-maint
 	abandon = group stable-maint-core
 	editHashtags = group ironic-core
 	exclusiveGroupPermissions = abandon label-Code-Review label-Workflow
 	label-Code-Review = -2..+2 group Project Bootstrappers
 	label-Code-Review = -2..+2 group ironic-stable-maint
 	label-Code-Review = -2..+2 group stable-maint-core
 	label-Code-Review = -1..+1 group Registered Users
 	label-Workflow = -1..+0 group Change Owner
 	label-Workflow = -1..+1 group Project Bootstrappers
 	label-Workflow = -1..+1 group ironic-stable-maint
 	label-Workflow = -1..+1 group stable-maint-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/sushy-oem-idrac.config
+++ b/gerrit/acls/openstack/sushy-oem-idrac.config
@ -1,21 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group sushy-oem-idrac-core
 	create = group sushy-oem-idrac-release
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group sushy-oem-idrac-core
 	label-Verified = -1..+1 group sushy-oem-idrac-ci
 	label-Workflow = -1..+1 group sushy-oem-idrac-core
 	toggleWipState = group sushy-oem-idrac-core
 [access "refs/tags/*"]
 	createSignedTag = group sushy-oem-idrac-release
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/sushy.config
+++ b/gerrit/acls/openstack/sushy.config
@ -1,16 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group sushy-core
 	editHashtags = group Registered Users
 	label-Code-Review = -2..+2 group sushy-core
 	label-Workflow = -1..+1 group sushy-core
 	toggleWipState = group sushy-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/virtualbmc.config
+++ b/gerrit/acls/openstack/virtualbmc.config
@ -1,15 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group virtualbmc-core
 	editHashtags = group virtualbmc-core
 	label-Code-Review = -2..+2 group virtualbmc-core
 	label-Workflow = -1..+1 group virtualbmc-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/acls/openstack/virtualpdu.config
+++ b/gerrit/acls/openstack/virtualpdu.config
@ -1,15 +0,0 @@
 [access]
 	inheritFrom = openstack/meta-config
 [access "refs/heads/*"]
 	abandon = group virtualpdu-core
 	editHashtags = group virtualpdu-core
 	label-Code-Review = -2..+2 group virtualpdu-core
 	label-Workflow = -1..+1 group virtualpdu-core
 [receive]
 	requireChangeId = true
 	requireContributorAgreement = true
 [submit]
 	mergeContent = true
--- a/gerrit/projects.yaml
+++ b/gerrit/projects.yaml
@ -3801,9 +3801,10 @@
  description: Hardware introspection daemon for OpenStack Ironic
  options:
    - translate
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/ironic-inspector-specs
  description: Specs for ironic-inspector
-  acl-config: /home/gerrit2/acls/openstack/ironic-inspector.config
+  acl-config: /home/gerrit2/acls/openstack/ironic.config
  groups:
    - ironic-inspector
 - project: openstack/ironic-lib
@ -3823,6 +3824,7 @@
  groups:
    - ironic
  description: OpenStack Baremetal (Ironic) Specifications
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/ironic-tempest-plugin
  description: Tempest plugin for ironic
  acl-config: /home/gerrit2/acls/openstack/ironic.config
@ -3833,6 +3835,7 @@
    metal.
  options:
    - translate
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/ironic-webclient
  description: RETIRED, Ironic HTTP(S) Client
  acl-config: /home/gerrit2/acls/openstack/retired.config
@ -3998,6 +4001,7 @@
  description: Empty project providing a base ACL for inheriting
 - project: openstack/metalsmith
  description: Simple deployment and scheduling tool for bare metal
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/microversion-parse
  description: Simple library for parsing OpenStack microversion headers.
 - project: openstack/mistral
@ -4178,6 +4182,7 @@
  acl-config: /home/gerrit2/acls/openstack/retired.config
 - project: openstack/networking-generic-switch
  description: Multi-vendor Modular Layer 2 (ML2) driver.
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/networking-generic-switch-tempest-plugin
  description: RETIRED, Tempest plugin for networking-generic-switch
  acl-config: /home/gerrit2/acls/openstack/retired.config
@ -5259,7 +5264,7 @@
  acl-config: /home/gerrit2/acls/openstack/heat.config
 - project: openstack/python-ironic-inspector-client
  description: A python client and OpenStackClient plugin for Ironic Inspector
-  acl-config: /home/gerrit2/acls/openstack/ironic-inspector.config
+  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/python-ironicclient
  description: A python client implementing the Ironic API.
  acl-config: /home/gerrit2/acls/openstack/ironic.config
@ -5640,6 +5645,7 @@
 - project: openstack/sushy
  description: Sushy is a small Python library to communicate with Redfish based
    systems
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/sushy-cli
  description: RETIRED, Redfish CLI client built on top of sushy library to talk
    to Redfish BMC from command line. Mostly intended for developers and testers.
@ -5649,9 +5655,10 @@
    - sushy
  description: An extension to sushy package supporting Redfish features that are
    specific to Dell EMC BMC (which is known under the name of iDRAC).
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/sushy-tools
  description: A set of tools to support the development and test of the Sushy library
-  acl-config: /home/gerrit2/acls/openstack/sushy.config
+  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/swift
  description: OpenStack Storage (Swift)
  options:
@ -5873,8 +5880,10 @@
  acl-config: /home/gerrit2/acls/openstack/venus.config
 - project: openstack/virtualbmc
  description: A virtual BMC for controlling virtual machines using IPMI commands.
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/virtualpdu
  description: VirtualPDU is a service for simulating power distribution units (PDUs).
  acl-config: /home/gerrit2/acls/openstack/ironic.config
 - project: openstack/vitrage
  description: OpenStack RCA (Root Cause Analysis) Engine
  use-storyboard: true
--- a/tools/normalize_acl.py
+++ b/tools/normalize_acl.py
@ -299,6 +299,7 @@ if '7' in transformations:
        'milestone',
        'packagers',
        'release',
        'reviewers',
        'Users',
    )
    for section in acl.keys():