Gerrit exlude a group in ACLs
Duft Markus
Hey,
In a corporate setup, I’d like to grant all registered users read access to all users, /except/ for all users in the “External Users” group, which should only have read on repositories where explicitly allowed. Is this possible at all with the current mechanisms? What would be necessary to implement this if not?
Any hints appreciated…
Cheers,
Markus
--
Mit freundlichen Grüßen / Best regards
Markus Duft | Software Architect
SSI SCHÄFER | SSI Schäfer IT Solutions GmbH | Friesachstraße 15 | 8114 Friesach bei Graz | Austria
Phone +43 3127 200-575 | Fax +43 3127 200-22
Website | Blog | YouTube | Facebook
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
Gert van Dijk
From the top of my head, if I'm correct, in a project you could set something like this:
Reference: refs/*
Permission: Read (Exclusive)
DENY External Users
ALLOW Registered Users
Duft Markus
Hey,
Hmm, I can’t seem to get that to work. I also looked in the docs but cannot find any example. Note that I want to grant read to Registered Users globally (so on All-Projects), and at the same time deny read for External Users. This does not work as the ALLOW rule on Registered Users also matches the External Users….
Cheers,
Markus
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Duft Markus
Any permission pros here?
Even with this, the user in the External Users group can see all projects:
[access "refs/*"]
read = group Non-Interactive Users
read = group Registered Users
read = block group ou/External Users
…
exclusiveGroupPermissions = read
Any hints. I get the feeling that this is not possible (which would be bad L). In this case – any hints if there are possibilities to put this into a custom plugin?
Cheers,
Markus
Edwin Kempin
Duft Markus
Hm,
I already have this actually:
All-Projects
products/All-Projects
infrastructure/All-Projects
projects/All-Projects
automation/All-Projects
I can block access for external user on all but automation/All-Projects. In there I would like to give members of External Users read permission individually (singleusergroup) per project. We have potentially hundreds of external users which are only allowed to see a single project while they are hired to work on this. automation/All-Projects should still allow any other (non External Users) user read permission somehow. I would like to avoid manual maintenance of all users on automation/* projects…
Cheers,
Markus
Duft Markus
No good ideas anymore? I’m as far as thinking about a new group backend which provides a „Not-XZ“ group which is essentially „Registered Users minus XZ“. This has some other limitations though…
Duft Markus
Hey,
Current issue is:
· Assume we have Registered Users which come from multiple domains, with a lot of different non-uniform groups. Usually, all of those users are employees which should be able to see and manipulate all of our repositories
· Then there is the External Users group which contains a manually maintained set of Users which should NOT be able to see any repositories, except those they have been manually granted access for.
I’d like to setup top-level default access rights which would accomplish the above. Grant read/push to Registered Users, but NOT to External Users, thus “grant read/push to group (Registered Users MINUS External Users)”.
Regards,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Monday, March 12, 2018 6:22 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus,
It seems that your latest requirement (" I would like to give members of External Users read permission individually (singleusergroup) per project") is different from "Registered Users minus XZ".
What's your current issue?
Markus Duft於 2018年3月12日星期一 UTC+8下午5時22分17秒寫道:
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eric Tsai
Markus Duft於 2018年3月13日星期二 UTC+8下午4時03分05秒寫道:
Duft Markus
Thanks a lot, this does the trick J Just need an additional intermediate extra project…
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Tuesday, March 13, 2018 10:01 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Duft Markus
Oh no. Chimed too soon :D I have this setup:
All-Projects -> allow read for all
+ All-Projects-Ext -> block for External Users
+-- projects/XY -> allow read for group XY-Devs, owner: XY-Owners
Now when I put a user who is in the External Users group into the XY-Devs group as well, he still does not see the project. Also setting exclusive on the XY read permission for XY-Devs does not make the project visible..
Adding the user to the groups XY-Owners makes the project (and only this project) visible to the user, which would be what I want – I just don’t want External Users with restricted rights to be owners L Any permission I miss which must be given (except read)?
Cheers,
Markus
Eric Tsai
Markus Duft於 2018年3月13日星期二 UTC+8下午7時45分43秒寫道:
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Duft Markus
Hey,
Sorry, I don’t get which block and which allow I should put in XY?
Registered Users: A, B, C
External Users: A, B
All-Projects -> allow read for Registered Users
+- All-Projects-Ext -> block for External Users
+-- projects/XY -> Allow for User A
+-- projects/YZ -> Allow for User B
+-- projects/ZZ -> No extra ACLs
projects/XY shall be visible for A and C
projects/YZ shall be visible for B and C
projects/ZZ shall be visible for C only (not an External User).
I hope that clarifies a little more?
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Wednesday, March 14, 2018 7:20 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Put both block & allow in projects/XY, don't use All-Projects-Ext.
Markus Duft於 2018年3月13日星期二 UTC+8下午7時45分43秒寫道:
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eric Tsai
Markus Duft於 2018年3月14日星期三 UTC+8下午4時18分39秒寫道:
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Duft Markus
Hey,
Thanks for the clarification; this now does no longer what I wanted to achieve in the first place J I would like to allow read for all but External Users on as top-level as possible to avoid having ACLs per project in the default case… L
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Wednesday, March 14, 2018 4:10 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus,
Markus Duft於 2018年3月14日星期三 UTC+8下午4時18分39秒寫道:
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eric Tsai
'BLOCK' access rule
The 'BLOCK' rule blocks a permission globally. An inherited 'BLOCK' rule cannot be overridden in the inheriting project. Any 'ALLOW' rule, from a different access section or from an inheriting project, which conflicts with an inherited 'BLOCK' rule will not be honored.
Markus Duft於 2018年3月14日星期三 UTC+8下午11時14分06秒寫道:
Markus Duft於 2018年3月14日星期三 UTC+8下午4時18分39秒寫道:
--
--
Eric Tsai
Eric Tsai於 2018年3月14日星期三 UTC+8下午11時39分29秒寫道: