Now that we have a fix in place for Gerrit's tag signature detection
regression, remove the unsafe permission for pushing unsigned tags
to return everything to the state we had prior to the 3.4 upgrade.
Change-Id: Ia9afb5fb4be311cca59d3e1cf3b7bc611184fe15
Upon upgrading from Gerrit 3.3 to 3.4, a regression was observed in
which jgit no longer returns signatures in its tag messages, causing
Gerrit to misidentify signed tags as unsigned (annotated) tags.
Because our ACLs only allow signed tags to be pushed, this
regression prevents Gerrit from accepting them now.
Temporarily grant permission to push unsigned tags to anyone who
has permission to push signed ones. We will revert that as soon as a
fixed Gerrit is in place, but in the meantime users will be warned
to take care when pushing tags so that they don't accidentally push
actually unsigned tags to Gerrit.
Also, the pushSignedTag keyword was deprecated in favor of the new
createSignedTag name, so go ahead and update to that while we're
doing this so that we can limit the amount of churn across all these
ACLs. Documentation will be corrected to recommend the new format in
a separate change, but update the ACL linter now to prevent the old
syntax from being used in new projects.
This workaround was already tested on opendev/bindep in the parent
Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793 change, and confirmed to
function as intended.
Change-Id: Ia426ea36b4e6877fdce5725ff1e00ae02c62e3f4
We're testing a potential workaround for a suspected regression in
Gerrit 3.4, where signed tags are rejected with the error "You need
'Create Tag' rights to push a normal tag." Temporarily grant this
for the opendev/bindep project, so we can see if it works around the
problem while we coordinate a fix with Gerrit upstream.
Change-Id: Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793
The pushSignedTag permission is deprecated, and has a new name:
createSignedTag. Update the opendev/bindep ACL accordingly, as we're
seeing a regression with the old name and would like to rule out
whether the new name has the same problem.
Change-Id: Ia95919bcfe71ce488096584c784fe7376f66f34a
This change adds a Review Priority label to all nova deliverables
currently under acl control in the project config repo.
The ability set the new label is granted only to the core
and stable core teams for the updated repos.
Change-Id: I2fd7a6387d2f50eeeb8cef513df19b5696cce55b
In order to utilize Gerrit's project configuration inheritance
mechanism, we need to support the inheritFrom option. Allow it in
the whitelist for our ACL normalization script.
Change-Id: Id23b348bf42d322d5c97903ad82101ac1dc01c27
We now have the option to assign delete permissions to groups in
Gerrit, which would grant them the ability to delete branches
through the WebUI or API. Since this is a new setting, it was not
previously recognized by our linter. Extend it so that we won't
raise an error if this appears in an ACL.
Change-Id: I2b182d31e3ca5809a53aec851015341f2e67825d
The editHashtags key should be accepted as acl entry key as it's
required to define permissions to edit hashtags in the gerrit ui.
Change-Id: I2294d72ee36e33ea5d137eb4e0faeac69ea86625
This patch updates the retired.config ACL to allow for the technical
commitee to be able to push changes into the repositories which are
retired.
The ACLs allows tech-committee group members to set all labels onto
changes as well as allowing them exclusive rights to push (therefore not
allowing any other members) and giving them access to submit changes (in
order to skip our gating).
The goal is to evenutally replace this group by another one once the
ACLs are verified to be working.
Change-Id: Ia6d516621ec405b02f3f97340d96d9938b605d8f
We have python scripts in the tools/ dir the vast majority of which we
run regularly with python3 via our python3 default basepython in tox.
However, most of these use a `python` shebang line which can be
confusing as to whether or not these scripts run under python3 or not.
To make this more clear set them to python3. I've confirmed the scripts
running under tox are happy with these changes. For the ones that don't
run under tox I've done a quick review and they look happy too.
Change-Id: I983d23c33f7780e5708aa728c829c3262fc99ea0
Define a release-approval pipeline to run the check-release-approval
job on every comment added to a release request, and set a
PTL-Approved label accordingly.
This may be considered a bit resource-intensive, however the
check-release-approval job is a fast python script that runs on
the executor, and only release requests shall go in this pipeline.
If this generates too much load, we could configure it to only run
when the comment posted contains a magic "signoff" keyword.
Another concern is that jobs other than check-release-approval would
be added to this pipeline. There does not seem to be a way in Zuul to
limit a pipeline to a specific job name or project.
Change-Id: Ieab04a4d6c02b216a59c12ec8599e7d91f4fffb1
This version of hacking doesn't understand f-strings as usable in
Python 3. Update to the latest and fix current issues, which are all
just formatting fixes.
Change-Id: I0a7d6f93f07477b6dd29ab143130dd9064c250be
The Octavia team would like to enabled passive voting on patches
for backport candidates. This means that backport candidate votes
will not block a patch from merging, but will allow the team to
better track patches that should be backported.
Change-Id: Ib75714649848538e9fed171abd0b11f6fbc55503
This allows anyone in the group "designate-release-manager"
to set the priority of patches, and block non freeze patches
during RC.
This allows for more precise dashboard than relying
on stars from PTLs, and allows the team to distingush
between a procedural -2 and a release freeze -2.
Change-Id: Id7b4c6b219899fa7ed86554257264af7efe20408
fix a "bug" in that the flake8 configuration in tox.ini was exclusively
selecting H231 as the only error it would report, so it was missing the
errors in the python modules (such as submit_log_processor_jobs). Due to
this being the case for a long time (since 2004) limit the more thorough
linting to the roles/ and playbooks/ directories where we'll be adding
ansible plugins/modules/etc. Also, lint in jenkins/script and nodepool.
Fix problems found.
We can lint everything with pep8 once the zuul v2 scripts are removed,
not worth patching them right now.
Change-Id: I479f010643cf3b67c183d763510f07a33400d38b
Co-Authored-By: Jesse Keating <omgjlk@us.ibm.com>
As per OpenStack licensing guide lines [1]:
[H102 H103] Newly contributed Source Code should be licensed under
the Apache 2.0 license.
[H104] Files with no code shouldn't contain any license header nor
comments, and must be left completely empty.
[1] http://docs.openstack.org/developer/hacking/#openstack-licensing
Change-Id: Iabfc781800f080b8235a2d812d16bdb3ee57067a
Add check for valid keys to find obvious typos in keys.
Fix the one error found in openstack.config.
Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
Whenever a project-specific ACL declares exclusiveGroupPermissions
on some permission, it can block other valid uses of that permission
which would otherwise be inherited from the All-Projects pseudoACL.
Make sure that Project Bootstrappers retains access to abandon,
-2..+2 on label-Code-Review and -1..+1 on label-Workflow. Also make
sure Change Owners can still abandon and add -1..0 on
label-Workflow, and that Registered Users can always -1..+1 on
label-Code-Review.
This change corrects existing ACLs to meet the above criteria, and
also introduces a normalization rule to prevent regression.
Change-Id: I2eecb7028bcab7d5d82ad4155a775a9b2daa441f
Gerrit ACLs can have multiple duplicate option keys in a section,
but completely duplicate lines (key and value together) have no use
so make sure they're collapsed into at most 1 copy.
Change-Id: I6bf43e860dcc8c3d7b2846d4e058b6c8ac7243eb
...only Project Bootstrappers.
Correct the ACL normalization script oversight which led to this
unfortunate mistake, and clean up the resulting mess.
Change-Id: I391ead734d0cd28277581d54f254718c3e36d4b0
Look for all keys that begin with 'refs/tags' rather than just the
string literal 'refs/tags/*' when removing unneeded create permissions
from tag access sections.
Change-Id: I6dc226065166038700ffd324d354e617596888cb
If the gerrit config normalizer comes across an unrecognized line, add
the bad line to the exception message for debugging.
Change-Id: I60e77a0b50718fb331bad0836ca769f685e6ce93
Enhance Gerrit ACL check to check that the files are properly
normalized.
Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
This is the result of running:
find modules/openstack_project/files/gerrit/acls/ -type f \
-name "*.config" -exec ./tools/normalize_acl.py {} 6 \;
Change-Id: I7aa27b859529b2bc8a990d6272334222996cbbc4
* tools/normalize_acl.py: Script which can perform one or more of a
list of normalizing transformations to an ACL file.
Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
