BUILD_EXEC

9 views
Skip to first unread message

anatoly techtonik

unread,
Feb 26, 2010, 12:12:45 PM2/26/10
to Bitten
Hello,

I am just starting to learn Bitten. What is the point of granting
anonymous BUILD_EXEC permission? Does that mean that just anybody can
submit builds to my Trac instance? Is it safe? Explanation about the
role of this permission would help a lot, esp. with a reference from
http://bitten.edgewall.org/wiki/Documentation/install.html page.

--
anatoly t.

Simon Cross

unread,
Feb 26, 2010, 1:20:18 PM2/26/10
to bit...@googlegroups.com
On Fri, Feb 26, 2010 at 7:12 PM, anatoly techtonik <tech...@gmail.com> wrote:
> I am just starting to learn Bitten. What is the point of granting
> anonymous BUILD_EXEC permission? Does that mean that just anybody can
> submit builds to my Trac instance? Is it safe?

Granting anonymous the BUILD_EXEC permission allows anyone to process
builds (i.e. claim a build and submit results). If you have a widely
accessible Trac instance, it's probably not a good idea. It's not
required -- your slaves can authenticate (see bitten-slave --help)
themselves and you can grant authenticated slaves permissions the same
way you would any other user.

> Explanation about the role of this permission would help a lot, esp. with a reference
> from http://bitten.edgewall.org/wiki/Documentation/install.html page.

This probably does need updating. Does the wording below makes things clearer?

=====
This will create the database tables and directories that Bitten requires.
You probably also want to grant permissions to someone (such as yourself)
to manage build configurations, and allow anonymous users to view the
status and results of builds::

$ trac-admin /path/to/projenv permission add [yourname] BUILD_ADMIN
$ trac-admin /path/to/projenv permission add anonymous BUILD_VIEW

Build slaves (see next section) will need permission to process builds
which you can grant using::

$ trac-admin /path/to/projenv permission add [slavegroup] BUILD_EXEC

Alternatively you may allow anyone to submit builds by given anonymous
this permission.
====

Schiavo
Simon

anatoly techtonik

unread,
Feb 26, 2010, 1:44:47 PM2/26/10
to Bitten
On Feb 26, 8:20 pm, Simon Cross <hodges...@gmail.com> wrote:
>
> Granting anonymous the BUILD_EXEC permission allows anyone to process
> builds (i.e. claim a build and submit results). If you have a widely
> accessible Trac instance, it's probably not a good idea. It's not
> required -- your slaves can authenticate (see bitten-slave --help)
> themselves and you can grant authenticated slaves permissions the same
> way you would any other user.
>
> > Explanation about the role of this permission would help a lot, esp. with a reference
> > fromhttp://bitten.edgewall.org/wiki/Documentation/install.htmlpage.
>
> This probably does need updating.  Does the wording below makes things clearer?

Much better. Only the usage of the word "build" is confusing. For
people, who see the Bitten for the first time, "Build" can mean
number, binary package, Makefile configuration, revision in
repository, tag or something else. In this respect "to process build"
is something mysterious, "to claim a build and submit results" is
better if you already know about master/slave communication and phrase
"to download build configuration and submit results" would make it
even more clear about the roles of master/slave from the start. The
only question I would like to ask at this point - what kind of results
are accepted by server - could these be binaries or just plain text
metrics? This info in installation part would, of course, better be
seen as a reference.

> =====
> This will create the database tables and directories that Bitten requires.
> You probably also want to grant permissions to someone (such as yourself)
> to manage build configurations, and allow anonymous users to view the
> status and results of builds::
>
>   $ trac-admin /path/to/projenv permission add [yourname] BUILD_ADMIN
>   $ trac-admin /path/to/projenv permission add anonymous BUILD_VIEW
>
> Build slaves (see next section) will need permission to process builds
> which you can grant using::
>
>   $ trac-admin /path/to/projenv permission add [slavegroup] BUILD_EXEC
>
> Alternatively you may allow anyone to submit builds by given anonymous
> this permission.
> ====
>
> Schiavo
> Simon

--
anatoly t.

potter

unread,
Feb 26, 2010, 1:54:07 PM2/26/10
to Bitten
Hmm, that page doesn't describe BUILD_EXEC, though it should.

BUILD_EXEC is the permission that the bitten-slaves need to work.
With this it would allow them to:
* Connect to the bitten-master to get build requests.
* Submit results of such builds. This would include:
* Success or Failure of the build.
* Logs of each step.
* Lint, Coverage, and/or Unit-tests results.
* Attachments to the Build pages.
For simplicity of an initial installation, I can see giving anonymous
this ability. This would allow one to get the slaves operational
without those pesky authentication issues getting in they way
(sarcasm). I could see with this configuration, anyone could abuse
the Bitten system. I personally defined a new user in Trac and only
that one user has BUILD_EXEC permission. Originally that was the only
permission that I gave this new user and plan to move back to that
model shortly.

W. Martin Borgert

unread,
Feb 26, 2010, 2:10:26 PM2/26/10
to bit...@googlegroups.com, anatoly techtonik
Quoting "anatoly techtonik" <tech...@gmail.com>:
> What is the point of granting
> anonymous BUILD_EXEC permission?

I have a "bitten" user in my Trac and all authenticated users have
BUILD_EXEC permission. I don't know wether this is the best way,
but it works.

anatoly techtonik

unread,
Feb 26, 2010, 3:10:22 PM2/26/10
to Bitten
Thanks for prompt replies. I now reached Zen of Bitten permissions. =)

anatoly techtonik

unread,
Mar 28, 2010, 3:52:04 PM3/28/10
to Bitten
I couldn't spot any differences in documentation, so I've created a
ticket for docs update. It is ticket #555 - a lucky number that makes
me wonder if all the docs need a major update?
Reply all
Reply to author
Forward
0 new messages