Can't push tags anymore, after upgrade from 2.14.7 -> 2.15.1

3,265 views
Skip to first unread message

Peter Olsson

unread,
May 3, 2018, 7:38:26 AM5/3/18
to Repo and Gerrit Discussion
Hello,

Are there any new access rights that must be updated/added after migrating from 2.14.7 to 2.15.1, for allowing push of tags?

Before upgrade this worked without any issues, after upgrade we get this:

! [remote rejected] v1.0.2 -> v1.0.2 (prohibited by Gerrit: update for creating new commit object not permitted)

We have these rights assigned for the repository:

Reference: refs/tags/*
Create Reference: Project Owners
Create Signed Tag: Project Owners
Create Annotated Tag: Project Owners

Regards,

Peter Olsson

Gert van Dijk

unread,
May 3, 2018, 9:07:19 AM5/3/18
to Repo and Gerrit Discussion
It looks like you are pushing new content to the tags (refs), according to the error output. If that's indeed the case, you will need the Push permission on the ref as well and that would not be different between 2.14 and 2.15 if I'm correct.

Peter Olsson

unread,
May 4, 2018, 2:59:48 AM5/4/18
to Repo and Gerrit Discussion
Hi,

Thanks for the reply!

I have just created a tag as I always do - "git tag -a v1.0.2" in this case. However, after adding the "Push" right to the users (to refs/tags/*), things seems to work like before.
I'm not sure if the previous or the new behaviour is the correct one?

Regards,

Peter Olsson

Tech Advantage

unread,
May 4, 2018, 3:09:03 AM5/4/18
to Repo and Gerrit Discussion


Le vendredi 4 mai 2018 08:59:48 UTC+2, Peter Olsson a écrit :
Hi,

Thanks for the reply!

I have just created a tag as I always do - "git tag -a v1.0.2" in this case. However, after adding the "Push" right to the users (to refs/tags/*), things seems to work like before.
I had the same issue.
Worked in 2.14 but required explicit push rights under refs/tags/* to work.

 

Edwin Kempin

unread,
May 8, 2018, 2:55:42 AM5/8/18
to a...@tech-advantage.com, Repo and Gerrit Discussion
On Fri, May 4, 2018 at 9:09 AM Tech Advantage <a...@tech-advantage.com> wrote:


Le vendredi 4 mai 2018 08:59:48 UTC+2, Peter Olsson a écrit :
Hi,

Thanks for the reply!

I have just created a tag as I always do - "git tag -a v1.0.2" in this case. However, after adding the "Push" right to the users (to refs/tags/*), things seems to work like before.
I had the same issue.
Worked in 2.14 but required explicit push rights under refs/tags/* to work.

Have a look at [1], but this change was already part of 2.14.

 

 
I'm not sure if the previous or the new behaviour is the correct one?

Regards,

Peter Olsson

Den torsdag 3 maj 2018 kl. 15:07:19 UTC+2 skrev Gert van Dijk:
It looks like you are pushing new content to the tags (refs), according to the error output. If that's indeed the case, you will need the Push permission on the ref as well and that would not be different between 2.14 and 2.15 if I'm correct.

On Thursday, 3 May 2018 13:38:26 UTC+2, Peter Olsson wrote:
Hello,

Are there any new access rights that must be updated/added after migrating from 2.14.7 to 2.15.1, for allowing push of tags?

Before upgrade this worked without any issues, after upgrade we get this:

! [remote rejected] v1.0.2 -> v1.0.2 (prohibited by Gerrit: update for creating new commit object not permitted)

We have these rights assigned for the repository:

Reference: refs/tags/*
Create Reference: Project Owners
Create Signed Tag: Project Owners
Create Annotated Tag: Project Owners

Regards,

Peter Olsson

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Peter Olsson

unread,
May 8, 2018, 3:02:51 AM5/8/18
to Repo and Gerrit Discussion
Even though this seems very related, it cannot be part of that change, since it's way too old. We upgraded from 2.14.7, and before the upgrade we didn't need the push rights to refs/tags/*, but after upgrade to 2.15.1 it was required. It's not a problem for us, since it seems that adding push rights to refs/tags/* solves the issue.

However, it would of course be nice to understand if this change was intended or not.

Regards,

Peter Olsson

Gert van Dijk

unread,
May 8, 2018, 3:05:08 AM5/8/18
to Repo and Gerrit Discussion
On Friday, 4 May 2018 08:59:48 UTC+2, Peter Olsson wrote:
I have just created a tag as I always do - "git tag -a v1.0.2" in this case. However, after adding the "Push" right to the users (to refs/tags/*), things seems to work like before.
I'm not sure if the previous or the new behaviour is the correct one?

Glad that it helped!

Just wanted to add that it should be very uncommon to create new tags for content that's unknown to the server, right? I mean, generally speaking, someone would only set a tag on a commit that has been submitted in Gerrit or at least part of a branch. If you need this permission to create your tag, this means you're pushing new content that's only part of this tag and not in any branch.

I think it's very powerful to prevent this from happening with Gerrit by not granting this permission.

And thanks Edwin for the exact pointer!

Peter Olsson

unread,
May 8, 2018, 3:29:37 AM5/8/18
to Repo and Gerrit Discussion
Hello again!

Just to avoid confusion here. I did not tag contents that was unknown to the server in this case. I just tried to push a tag that referenced an existing commit (both locally and on the server). And to do this I had to add the push rights to refs/tags/*.

Regards,

Peter Olsson

Gert van Dijk

unread,
May 8, 2018, 3:39:34 AM5/8/18
to Repo and Gerrit Discussion
On Tuesday, 8 May 2018 09:29:37 UTC+2, Peter Olsson wrote:
Just to avoid confusion here. I did not tag contents that was unknown to the server in this case. I just tried to push a tag that referenced an existing commit (both locally and on the server). And to do this I had to add the push rights to refs/tags/*.

If that's really the case, then I think you're hitting something else. Creating a lightweight tag on an existing commit known to Gerrit should be possible with the "Create Reference" permission granted. Did you also see the separate permission for creating an *annotated* and signed tags (docs)? That's different from just a lightweight tag in Gerrit permissions. Perhaps that explains it as I saw you created a tag with "git tag -a".

Adding the Push permission on refs/tags/* will enable users to push content bypassing review. That's probably not what you want as a solution.

Edwin Kempin

unread,
May 8, 2018, 3:40:06 AM5/8/18
to pe...@olssononline.se, Repo and Gerrit Discussion
On Tue, May 8, 2018 at 9:29 AM Peter Olsson <pe...@olssononline.se> wrote:
Hello again!

Just to avoid confusion here. I did not tag contents that was unknown to the server in this case. I just tried to push a tag that referenced an existing commit (both locally and on the server). And to do this I had to add the push rights to refs/tags/*.
If I remember this correctly push on refs/tags/* should only be needed if you want to update an existing tag on the server, but not for the creation of a new tag.
If this is for pushing a new tag, please file an issue and also say which kind of tag you are pushing (lightweight, annotated or signed tag).
 

Regards,

Peter Olsson

Den tisdag 8 maj 2018 kl. 09:05:08 UTC+2 skrev Gert van Dijk:
On Friday, 4 May 2018 08:59:48 UTC+2, Peter Olsson wrote:
I have just created a tag as I always do - "git tag -a v1.0.2" in this case. However, after adding the "Push" right to the users (to refs/tags/*), things seems to work like before.
I'm not sure if the previous or the new behaviour is the correct one?

Glad that it helped!

Just wanted to add that it should be very uncommon to create new tags for content that's unknown to the server, right? I mean, generally speaking, someone would only set a tag on a commit that has been submitted in Gerrit or at least part of a branch. If you need this permission to create your tag, this means you're pushing new content that's only part of this tag and not in any branch.

I think it's very powerful to prevent this from happening with Gerrit by not granting this permission.

And thanks Edwin for the exact pointer!

--

Peter Olsson

unread,
May 8, 2018, 3:44:53 AM5/8/18
to Repo and Gerrit Discussion
Thanks for all replies!

In this case it's an annotated (new) tag. I create it with "git tag -a v1.0.2", and then do "git push --tags". I will document the steps to reproduce it and create an issue later on.

/Peter

Peter Olsson

unread,
May 8, 2018, 4:01:22 AM5/8/18
to Repo and Gerrit Discussion
I did some further testing, and it seems to be a problem only when pushing via https.

I did tests with the same user, using both ssh and https. When using ssh it worked without the push rights, but with https, push rights was required.
Should I open a ticket for this?

/Peter

Den tisdag 8 maj 2018 kl. 09:40:06 UTC+2 skrev Edwin Kempin:

David Pursehouse

unread,
May 8, 2018, 4:07:03 AM5/8/18
to Peter Olsson, Repo and Gerrit Discussion
On Tue, May 8, 2018 at 5:01 PM Peter Olsson <pe...@olssononline.se> wrote:
I did some further testing, and it seems to be a problem only when pushing via https.

I did tests with the same user, using both ssh and https. When using ssh it worked without the push rights, but with https, push rights was required.
Should I open a ticket for this?


Yes, please do.

dw...@dolby.com

unread,
Jul 10, 2018, 2:15:52 AM7/10/18
to Repo and Gerrit Discussion
This issue affects the latest release 2.15.2.

Jonathan Nieder

unread,
Jul 10, 2018, 2:24:00 AM7/10/18
to dw...@dolby.com, Repo and Gerrit Discussion
This appears to have been filed as https://crbug.com/gerrit/8952. You can follow along by starring that bug. It looks like one way to help would be to add a test to Gerrit's acceptance test suite demonstrating the bug.

Thanks,
Jonathan

пн, 9 июл. 2018 г. в 23:15, <dw...@dolby.com>:
--
Reply all
Reply to author
Forward
0 new messages