Ironic is considering a two-tier structure, separating permission to
approve/workflow patches from the ability to core-review vote.
The final state is intended to be:
- All existing active ironic-cores go into ironic-approvers
- ironic-approvers goes into ironic-reviewers
- anyone approved later can get added to ironic-reviewers
In terms of permissions, the desired state is:
- ironic-approvers are the only team that can approve patches for
landing
- ironic-reviewers are allowed to core review and do most other core
activities except the final workflow to land code
As a transition, I'm leaving the ironic-core group in the ACLs. Once
the new group is created, populated, and working, we can rename the
old one to reflect its disuse.
I've also, as a result of auditing the core groups for other Ironic
projects and seeing some of them out of date, am unifying more
ironic-related projects into the same ACL configuration. The now
disused old core groups for those projects will also be renamed to
reflect their disuse when completed.
Change-Id: I7fea059274ffd8635e426e82882a3076527464eb
Create a gerrit group to handle branches in Unmaintained status
across all projects, as described in TC resolution 2023-11-14,
which is commit 90982cd in the governance repository.
Also adjust the acl file normalization tool so that it will guarantee
that the Release Managers group has 'abandon' permission on
Unmaintained branches if any project chooses to override the global
openstack-unmaintained-core group with a project-specific unmaintained
core team (as is allowed by TC resolution 2023-11-14). This entails
a change in that script to require the acl file's namespace be passed
in so that the check doesn't affect non-OpenStack OpenInfra projects.
Change-Id: Ife8e5f175cb8a7d396dfe2a5d52fd6d524ae0b43
A recent change slipped through without the necessary "group"
keyword in some new ACL entries, resulting in a deployment failure
when Gerrit refused the push from manage-projects. Add a list of
options which need the "group" keyword so we catch this during
review in the future.
Change-Id: Ibf07cd63c3eea939728df4bd518681843f51bd37
A previous change added indentation of Gerrit ACL options hard-coded
into the normalization script. Make that rule selectable instead,
like the prior transformations.
Change-Id: I57d33e2d3f55712f9ed46d740480a4ab6476d8bc
The Gerrit ACL normalization script has an "all" transformation
which reports all transformation results to the screen. Add a
similar "apply" shortcut to directly transform the file being
operated on in a non dry run fashion.
Change-Id: I73a07a3542ca26ddfcf01eab1d7be11cec70da85
Currently if your ACL fails the normalization pass you get a diff, but
no explaination of what that diff represents.
This is an attempt to make the situation better without having to
undertake some sort of major rewrite of the transformer. We move the
current in-code comments into human-actionable strings, and add a
"-help" argument that prints this out. If we have normalization
failures, we add a step to the driver script to print this string out.
This will appear in the job output and hopefully be easily seen when
scrolling the logs.
Change-Id: Ib07a10a25f35875afad21f77f545dc1cc207cecd
Gerrit very much wants its ACLs to indent option lines (but not
section headings) by a single hard tab.
The recent migration to schema 185 with Gerrit 3.7 has updated
copyConditions flags and re-written most of the ACL files to look like
this (c.f. I1f11c07e3786bd1a68b43d908d939fde42ddb99c).
This updates the normalize tool to format like this, and modifies all
our ACL's to the new format.
This is intended to be a no-op with no functional change. For future
upgrades, this will reduce the diffs of any updates Gerrit might make.
Change-Id: I3a0c0da1eb32f8afb31ffa0c24ea45aaca8da8cc
A recent change to the openstack/releases ACLs pointed out that we don't
require function to be set on Gerrit label definitions. This would
result in the Gerrit default of MaxWithBlock which will interfere with
submit requirements.
Enforce that function is set and that the value is NoBlock via our
normalize script. This will add function = NoBlock entries to the file
if not set which results in a diff causing the test to fail.
In order to do this I refactored the submit-requirements and function
checking of the normalize script a bit. We now check the label section
independently of all other sections which allows us to reduce repetition
when dealing with label sections.
Change-Id: I9e83c1cde3fe20ea2c34cdf86cd2fd3006bfe62a
We got caught out with this in All-Projects; let's just make sure we
keep capital booleans everywhere for consistency.
Change-Id: I7a1e528c620c07ecbb2def3d743ab4bba46a20df
This ensures that labels only use "function = NoBlock" and that every
label has a corresponding submit-requirement section.
We don't really have unit tests for this, but the first check actually
found some missed functions in
I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the
second by removing some submit-requirements, and it correctly failed.
Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
For things like submit-requirements, we have fields like submittableIf
which take a query string that may have "=" on the LHS. Change the
key/value split so that it only takes the key up to the first "=".
Change-Id: Iada801bd1c38dd1e0502bebefd6a1421c746c90a
The copy conditions here have been replaced by the "copyCondition"
query tag. This updates the deprecated values to a new query which
does the same thing -- i.e. this should be a noop.
Mostly these are setup to have votes on labels that should be copied
on a no code change/trivial rebase, and if they're -2/+2 (i.e. max
votes are sticky). To be exact the group of
copyallScoresIfNoCodeChange = true
copyAllScoresOnTrivialRebase = true
copyMaxScore = true
copyMinScore = true
becomes
changekind:NO_CODE_CHANGE or changekind:TRIVIAL_REBASE \
or is:MAX or is:MIN
Note all but ocatvia.conf, octavia-dashboard, octavia-lib, and
python-octaviaclient are copying -2/+2 votes; I feel like this is
probably a bug but I have modified these 4 projects to maintain the
same behaviour of not copying the votes.
A small number of projects copy any vote; glance.config,
kayobe.config, kolla.config, nova-specs.config, nova.config,
os-vif.config, placement.config, python-novaclient.config -- they are
replaced with is:ANY.
The old conditions have been deprecated since gerrit 3.5 [1].
Although the old conditions have not been removed yet, this will help
as we think about also changing these to submission requirements for
Gerrit 3.7.
[1] https://gerrit.googlesource.com/gerrit/+/c429ff33d944272b1f4da9f84f904f6403919ea3
Change-Id: Id13fdf588d07c1fec73978e7a69f1d9097989696
In order to implement post-check pipeline for dealing with secrets in
the check pipeline it is required to add additional flag to gerrit that
will be set as a prerequisite to start jobs.
Change-Id: I3f0d7fe7e0014c28465aaab060e74e39a527b745
Now that we have a fix in place for Gerrit's tag signature detection
regression, remove the unsafe permission for pushing unsigned tags
to return everything to the state we had prior to the 3.4 upgrade.
Change-Id: Ia9afb5fb4be311cca59d3e1cf3b7bc611184fe15
Upon upgrading from Gerrit 3.3 to 3.4, a regression was observed in
which jgit no longer returns signatures in its tag messages, causing
Gerrit to misidentify signed tags as unsigned (annotated) tags.
Because our ACLs only allow signed tags to be pushed, this
regression prevents Gerrit from accepting them now.
Temporarily grant permission to push unsigned tags to anyone who
has permission to push signed ones. We will revert that as soon as a
fixed Gerrit is in place, but in the meantime users will be warned
to take care when pushing tags so that they don't accidentally push
actually unsigned tags to Gerrit.
Also, the pushSignedTag keyword was deprecated in favor of the new
createSignedTag name, so go ahead and update to that while we're
doing this so that we can limit the amount of churn across all these
ACLs. Documentation will be corrected to recommend the new format in
a separate change, but update the ACL linter now to prevent the old
syntax from being used in new projects.
This workaround was already tested on opendev/bindep in the parent
Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793 change, and confirmed to
function as intended.
Change-Id: Ia426ea36b4e6877fdce5725ff1e00ae02c62e3f4
We're testing a potential workaround for a suspected regression in
Gerrit 3.4, where signed tags are rejected with the error "You need
'Create Tag' rights to push a normal tag." Temporarily grant this
for the opendev/bindep project, so we can see if it works around the
problem while we coordinate a fix with Gerrit upstream.
Change-Id: Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793
The pushSignedTag permission is deprecated, and has a new name:
createSignedTag. Update the opendev/bindep ACL accordingly, as we're
seeing a regression with the old name and would like to rule out
whether the new name has the same problem.
Change-Id: Ia95919bcfe71ce488096584c784fe7376f66f34a
This change adds a Review Priority label to all nova deliverables
currently under acl control in the project config repo.
The ability set the new label is granted only to the core
and stable core teams for the updated repos.
Change-Id: I2fd7a6387d2f50eeeb8cef513df19b5696cce55b
In order to utilize Gerrit's project configuration inheritance
mechanism, we need to support the inheritFrom option. Allow it in
the whitelist for our ACL normalization script.
Change-Id: Id23b348bf42d322d5c97903ad82101ac1dc01c27
We now have the option to assign delete permissions to groups in
Gerrit, which would grant them the ability to delete branches
through the WebUI or API. Since this is a new setting, it was not
previously recognized by our linter. Extend it so that we won't
raise an error if this appears in an ACL.
Change-Id: I2b182d31e3ca5809a53aec851015341f2e67825d
The editHashtags key should be accepted as acl entry key as it's
required to define permissions to edit hashtags in the gerrit ui.
Change-Id: I2294d72ee36e33ea5d137eb4e0faeac69ea86625
This patch updates the retired.config ACL to allow for the technical
commitee to be able to push changes into the repositories which are
retired.
The ACLs allows tech-committee group members to set all labels onto
changes as well as allowing them exclusive rights to push (therefore not
allowing any other members) and giving them access to submit changes (in
order to skip our gating).
The goal is to evenutally replace this group by another one once the
ACLs are verified to be working.
Change-Id: Ia6d516621ec405b02f3f97340d96d9938b605d8f
We have python scripts in the tools/ dir the vast majority of which we
run regularly with python3 via our python3 default basepython in tox.
However, most of these use a `python` shebang line which can be
confusing as to whether or not these scripts run under python3 or not.
To make this more clear set them to python3. I've confirmed the scripts
running under tox are happy with these changes. For the ones that don't
run under tox I've done a quick review and they look happy too.
Change-Id: I983d23c33f7780e5708aa728c829c3262fc99ea0
Define a release-approval pipeline to run the check-release-approval
job on every comment added to a release request, and set a
PTL-Approved label accordingly.
This may be considered a bit resource-intensive, however the
check-release-approval job is a fast python script that runs on
the executor, and only release requests shall go in this pipeline.
If this generates too much load, we could configure it to only run
when the comment posted contains a magic "signoff" keyword.
Another concern is that jobs other than check-release-approval would
be added to this pipeline. There does not seem to be a way in Zuul to
limit a pipeline to a specific job name or project.
Change-Id: Ieab04a4d6c02b216a59c12ec8599e7d91f4fffb1
This version of hacking doesn't understand f-strings as usable in
Python 3. Update to the latest and fix current issues, which are all
just formatting fixes.
Change-Id: I0a7d6f93f07477b6dd29ab143130dd9064c250be
The Octavia team would like to enabled passive voting on patches
for backport candidates. This means that backport candidate votes
will not block a patch from merging, but will allow the team to
better track patches that should be backported.
Change-Id: Ib75714649848538e9fed171abd0b11f6fbc55503
This allows anyone in the group "designate-release-manager"
to set the priority of patches, and block non freeze patches
during RC.
This allows for more precise dashboard than relying
on stars from PTLs, and allows the team to distingush
between a procedural -2 and a release freeze -2.
Change-Id: Id7b4c6b219899fa7ed86554257264af7efe20408
fix a "bug" in that the flake8 configuration in tox.ini was exclusively
selecting H231 as the only error it would report, so it was missing the
errors in the python modules (such as submit_log_processor_jobs). Due to
this being the case for a long time (since 2004) limit the more thorough
linting to the roles/ and playbooks/ directories where we'll be adding
ansible plugins/modules/etc. Also, lint in jenkins/script and nodepool.
Fix problems found.
We can lint everything with pep8 once the zuul v2 scripts are removed,
not worth patching them right now.
Change-Id: I479f010643cf3b67c183d763510f07a33400d38b
Co-Authored-By: Jesse Keating <omgjlk@us.ibm.com>
As per OpenStack licensing guide lines [1]:
[H102 H103] Newly contributed Source Code should be licensed under
the Apache 2.0 license.
[H104] Files with no code shouldn't contain any license header nor
comments, and must be left completely empty.
[1] http://docs.openstack.org/developer/hacking/#openstack-licensing
Change-Id: Iabfc781800f080b8235a2d812d16bdb3ee57067a
Add check for valid keys to find obvious typos in keys.
Fix the one error found in openstack.config.
Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
Whenever a project-specific ACL declares exclusiveGroupPermissions
on some permission, it can block other valid uses of that permission
which would otherwise be inherited from the All-Projects pseudoACL.
Make sure that Project Bootstrappers retains access to abandon,
-2..+2 on label-Code-Review and -1..+1 on label-Workflow. Also make
sure Change Owners can still abandon and add -1..0 on
label-Workflow, and that Registered Users can always -1..+1 on
label-Code-Review.
This change corrects existing ACLs to meet the above criteria, and
also introduces a normalization rule to prevent regression.
Change-Id: I2eecb7028bcab7d5d82ad4155a775a9b2daa441f
Gerrit ACLs can have multiple duplicate option keys in a section,
but completely duplicate lines (key and value together) have no use
so make sure they're collapsed into at most 1 copy.
Change-Id: I6bf43e860dcc8c3d7b2846d4e058b6c8ac7243eb
...only Project Bootstrappers.
Correct the ACL normalization script oversight which led to this
unfortunate mistake, and clean up the resulting mess.
Change-Id: I391ead734d0cd28277581d54f254718c3e36d4b0
Look for all keys that begin with 'refs/tags' rather than just the
string literal 'refs/tags/*' when removing unneeded create permissions
from tag access sections.
Change-Id: I6dc226065166038700ffd324d354e617596888cb
If the gerrit config normalizer comes across an unrecognized line, add
the bad line to the exception message for debugging.
Change-Id: I60e77a0b50718fb331bad0836ca769f685e6ce93
Enhance Gerrit ACL check to check that the files are properly
normalized.
Co-Authored-By: Armando Migliaccio <armamig@gmail.com>
Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
This is the result of running:
find modules/openstack_project/files/gerrit/acls/ -type f \
-name "*.config" -exec ./tools/normalize_acl.py {} 6 \;
Change-Id: I7aa27b859529b2bc8a990d6272334222996cbbc4
* tools/normalize_acl.py: Script which can perform one or more of a
list of normalizing transformations to an ACL file.
Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
