ACL: how to allow a user to see only one project and nothing else
79 views
Skip to first unread message
Paweł Dzierżanowski
Jul 5, 2024, 1:04:04 PMJul 5
to Repo and Gerrit Discussion
We have a large Gerrit installation (thousands of projects) where project ownership (owner permission) is delegated to hundreds of users.
Normally these delegated project owners manage their projects on their own, many choosing to grant read permission to Registered Users.
Is there a way to configure Gerrit in such a way, that a certain group (G) is allowed to see only one repository (P) and nothing else?
Obviously I cannot BLOCK read G in All-Projects because that would block P too.
DENY read X wouldn't prevent project owners from granting 'read' to members of X (e.g. by allowing Registered Users to read)
I'm aware that this is a challenge only because of the project ownership arrangements --- if the admin had direct "control" over all project.configs then it wouldn't be an issue
I'm not sure if this is impossible or I'm missing something obvious:)
Paweł Dzierżanowski
Jul 10, 2024, 10:40:55 AM (12 days ago) Jul 10
to Repo and Gerrit Discussion
piątek, 5 lipca 2024 o 19:04:04 UTC+2 Paweł Dzierżanowski napisał(a):
Is there a way to configure Gerrit in such a way, that a certain group (G) is allowed to see only one repository (P) and nothing else?Obviously I cannot BLOCK read G in All-Projects because that would block P too.DENY read X wouldn't prevent project owners from granting 'read' to members of X (e.g. by allowing Registered Users to read)
One approach could be to write a script that gets triggered by every change on refs/meta/config in all projects but project P, that would make sure that "read = BLOCK group X" is there in all the projects but P.
Obviously it is less than ideal...
And the script would have to make sure that there are no exceptions, accidental or not, in the project.config, because:
From the Permission evaluation reference [1]:
BLOCK rules can have exceptions defined on the same project (eg. BLOCK anonymous users, ie. everyone, but make an exception for Admin users), either by:
- adding ALLOW PermissionRules in the same Permission. This implies they apply to the same ref pattern.
- adding an ALLOW Permission in the same project with a more specific ref pattern, but marked "exclusive". This allows them to apply to different ref patterns.
- adding ALLOW PermissionRules in the same Permission. This implies they apply to the same ref pattern.
- adding an ALLOW Permission in the same project with a more specific ref pattern, but marked "exclusive". This allows them to apply to different ref patterns.
I'm starting to think that, especially because of the second of the above, there is no way to achieve what I want.
I really hope someone can prove me wrong:)
Paweł
Reply all
Reply to author
Forward
0 new messages