Hi all,We're running into an issue with Submodule Subscriptions ACL's after upgrading from 2.12 to 2.14. I'm looking for some guidance or advice, please. First a little background:
We manage a large number of Gerrit repositories across a few different instances using a delegated permission model and standardized permissions per-server. For the most part, all of our repositories are open for read access to all registered users of the system. We have a few repositories which are "protected" - these are read-restricted to only specific users who are granted access at the per-project level. All of these projects inherit their permissions from a Protected Parent repo (deny on read to Registered Users).
The Administrators group owns every project on each server. We have in-house tooling that builds out these repositories, and can rewrite their permissions across each server as needed. Each repository has an Administrators group that owns the other groups used for that specific repository, allowing them to grant or remove access to a specific function by adding or removing people from the standardized groups.
As of the 2.14 upgrade, we're facing issues with submodule subscriptions. Ultimately, I'd like to let all of our non-protected projects be subscribed to by any other project on the server, while I'd like to restrict the protected projects to not allow them to be subscribed to at all. It seems that I can grant these permissions at either the All-Projects, the Protected Parent Level, or individual projects level. However, I don't see a way to grant the submodule subscription permission for all superprojects. Is there a way to blanket this permission, or does each superproject need to be granted individually?
Ex:
[allowSuperproject "<superproject>"]
matching = <refspec>
Is there a way to wildcard <superproject>?
Thank you,
Jeff