Issue in restricting push at branch level
612 views
Skip to first unread message
Lokesh Loki
Sep 13, 2023, 5:37:46 AM9/13/23
to Repo and Gerrit Discussion
I am trying to restrict the users to push changes to a specific repository->branch by creating a group and allowing members of only that group to push changes for review with the following configuration.
# Project1 project.config file:
With above configuration i am getting following error when i push the change for review from #project1:
# Global [All projects] project.config file:
[access "refs/for/*"]
push = deny group Registered Users
push = deny group Registered Users
# Project1 project.config file:
[access "refs/for/master"]
push = group group_name
push = group group_name
create = group group_name
With above configuration i am getting following error when i push the change for review from #project1:
git push origin HEAD:refs/for/master
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 48 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 403 bytes | 403.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (1/1)
remote: error: branch refs/for/master:
remote: You need 'Create Change' rights to upload code review requests.
remote: Verify that you are pushing to the right branch.
remote: User: <user>
remote: Contact an administrator to fix the permissions
remote: Processing changes: refs: 1, done
To ssh://<gerritsite>:29418/<repo>
! [remote rejected] HEAD -> refs/for/master(prohibited by Gerrit: not permitted: create change on refs/heads/master)
error: failed to push some refs to 'ssh://<gerrit site>:29418/<repo>'
when i change it to under refs/for/* push = group Registered Users , push is working fine. can someone please suggest how branch level restriction can be acheived here with above configuration?
Thanks and Regards,
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 48 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 403 bytes | 403.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (1/1)
remote: error: branch refs/for/master:
remote: You need 'Create Change' rights to upload code review requests.
remote: Verify that you are pushing to the right branch.
remote: User: <user>
remote: Contact an administrator to fix the permissions
remote: Processing changes: refs: 1, done
To ssh://<gerritsite>:29418/<repo>
! [remote rejected] HEAD -> refs/for/master(prohibited by Gerrit: not permitted: create change on refs/heads/master)
error: failed to push some refs to 'ssh://<gerrit site>:29418/<repo>'
when i change it to under refs/for/* push = group Registered Users , push is working fine. can someone please suggest how branch level restriction can be acheived here with above configuration?
Thanks and Regards,
Lokesh
syntonyze
Sep 13, 2023, 9:43:03 AM9/13/23
to Lokesh Loki, Repo and Gerrit Discussion
Which version of Gerrit are you using?
Push permissions on `refs/for/master` should be enough to allow the group to create a new CR targeting that branch.
Have you tried enabling request tracing [1] to see the result of permission evaluation?
```
git push -o trace=SOME_TRACE_ID_HERE origin HEAD:refs/for/master
```
--Thanks and Regards,Lokesh
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/28b754d8-2985-4c1c-8ac7-ce88224218bcn%40googlegroups.com.
Lokesh Loki
Sep 13, 2023, 10:29:34 AM9/13/23
to Repo and Gerrit Discussion
Hi ,
# Project1 project.config file:
I am using Gerrit 3.8.1 version. Below is the detailed explanation on what has been tried to achieve this branch level control:
To start with i have created one group for each and every branch in a repository. Then similarly i have created one reference for each and every branch in a repository and added only respective group names to these references to perform dedicative actions. As part of this to restrict code push for review by any registered user to any branch and allow only users who are members of target branch , below config is added
# Global [All projects] project.config file:
[access "refs/for/*"]
push = deny group Registered Users
push = deny group Registered Users
# Project1 project.config file:
[access "refs/for/master"]
push = group group_name
push = group group_name
create = group group_name
Below are the error logs when tried with trace :
[HTTP GET /changes/?O=1010102&S=0&q=change%3A81%20OR%20change%3A41%20OR%20change%3A2%20OR%20change%3A1 (<user> from <ip>)] WARN com.google.gerrit.server.change.ChangeJson : Omitting corrupt change 2 from results [CONTEXT request="REST /changes/" ]
[2023-09-13T14:07:23.748Z] [ReceiveCommits-1[java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask@12a5d8a[Not completed, task = java.util.concurrent.Executors$RunnableAdapter@55d1ea3[Wrapped task = com.google.gerrit.server.logging.LoggingContextAwareRunnable@37f67584]]]-for-SSH git-receive-pack /<repo> (<user>)] DEBUG com.google.gerrit.server.git.receive.ReceiveCommits : Command results: CREATE: 0000000000000000000000000000000000000000 42f1d7a22a0ca8ae8e2070ecfcca82c38000f5a4 refs/for/master (REJECTED_OTHER_REASON: prohibited by Gerrit: not permitted: create change on refs/heads/master)
[CONTEXT forced=true RECEIVE_ID="<repo>-1694614043624-84d6747b" TRACE_ID="123456789-qwerty12345" project="<repo>" request="GIT_RECEIVE" ]
[2023-09-13T14:07:23.749Z] [ReceiveCommits-1[java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask@12a5d8a[Not completed, task = java.util.concurrent.Executors$RunnableAdapter@55d1ea3[Wrapped task = com.google.gerrit.server.logging.LoggingContextAwareRunnable@37f67584]]]-for-SSH git-receive-pack /<repo> (<user>)] DEBUG com.google.gerrit.server.git.receive.ReceiveCommits : Handling error conditions: [You need 'Create Change' rights to upload code review requests.
Verify that you are pushing to the right branch.]
[CONTEXT forced=true RECEIVE_ID="<repo>-1694614043624-84d6747b" TRACE_ID="123456789-qwerty12345" project="<repo>" request="GIT_RECEIVE" ]
[2023-09-13T14:07:23.749Z] [ReceiveCommits-1[java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask@12a5d8a[Not completed, task = java.util.concurrent.Executors$RunnableAdapter@55d1ea3[Wrapped task = com.google.gerrit.server.logging.LoggingContextAwareRunnable@37f67584]]]-for-SSH git-receive-pack /<repo> (<user>)] DEBUG com.google.gerrit.server.git.receive.ReceiveCommits : Handling error conditions: [You need 'Create Change' rights to upload code review requests.
Verify that you are pushing to the right branch.]
when this is given at global or project level , push is working fine
[access "refs/for/*"]
push = group Registered Users
But with this we cannot achieve branch level restriction. Kindly help me in resolving this to control branch level permission for code check-in.
Thanks and Regards,
Lokesh M
Sven Selberg
Sep 14, 2023, 1:24:48 AM9/14/23
to Repo and Gerrit Discussion
I believe this one should be:
[access "refs/for/refs/heads/master"]
push = group group_name
push = group group_name
create = group group_name
I.e. "refs/for/$BRANCH_REF" as described in https://gerrit-review.googlesource.com/Documentation/access-control.html#references_magic.
Lokesh Loki
Sep 14, 2023, 2:38:45 AM9/14/23
to Repo and Gerrit Discussion
Hi ,
push = group Registered Users
[project]
description = Access inherited by all other projects.
[receive]
requireContributorAgreement = false
requireSignedOffBy = false
requireChangeId = true
enableSignedPush = false
[submit]
mergeContent = true
[access "refs/*"]
read = group Administrators
[access "refs/for/*"]
addPatchSet = group Administrators
deleteChanges = group Administrators
push = group Administrators
push = deny group Registered Users
push = deny group Registered Users
I have added below in config file and it still throws the same error(! [remote rejected] HEAD -> refs/for/master(prohibited by Gerrit: not permitted: create change on refs/heads/master)
error: failed to push some refs to 'ssh://<gerrit_site>:29418/<repo>').
[access "refs/for/refs/heads/master"]
push = group group_name
push = group group_name
create = group group_name
in this case also with below config when i allow registered users, push is working.
[access "refs/for/refs/heads/master"]push = group Registered Users
But for us controlling users at branch level is top most requirement. Kindly assist me in resolving this.
For Additional info below are the project.config file used. Please suggest me If below files are correct or if anything is missing in it.
For Additional info below are the project.config file used. Please suggest me If below files are correct or if anything is missing in it.
All-Projects.config
description = Access inherited by all other projects.
[receive]
requireContributorAgreement = false
requireSignedOffBy = false
requireChangeId = true
enableSignedPush = false
[submit]
mergeContent = true
[access "refs/*"]
read = group Administrators
[access "refs/for/*"]
addPatchSet = group Administrators
deleteChanges = group Administrators
push = group Administrators
push = deny group Registered Users
submit = group Administrators
create = group Administrators
[access "refs/for/refs/*"]
create = group Administrators
[access "refs/for/refs/*"]
push = deny group Registered Users
push = group Administrators
pushMerge = deny group Registered Users
pushMerge = group Administrators
[access "refs/heads/*"]
create = group Administrators
create = group Project Owners
create = group Registered Users
forgeAuthor = group Registered Users
forgeCommitter = group Administrators
forgeCommitter = group Project Owners
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
label-Code-Review = -1..+1 group Registered Users
push = deny group Administrators
push = deny group Project Owners
pushMerge = deny group Registered Users
pushMerge = group Administrators
[access "refs/heads/*"]
create = group Administrators
create = group Project Owners
create = group Registered Users
forgeAuthor = group Registered Users
forgeCommitter = group Administrators
forgeCommitter = group Project Owners
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
label-Code-Review = -1..+1 group Registered Users
push = deny group Administrators
push = deny group Project Owners
push = deny group Registered Users
read = group Registered Users
revert = group Registered Users
submit = group Administrators
submit = group Project Owners
label-Verified = -1..+1 group Administrators
label-Verified = -1..+1 group Project Owners
label-Verified = -1..+1 group Registered Users
[access "refs/meta/config"]
exclusiveGroupPermissions = read
create = group Administrators
create = group Project Owners
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
push = group Administrators
push = group Project Owners
read = group Administrators
read = group Project Owners
read = group Registered Users
submit = group Administrators
submit = group Project Owners
label-Verified = -1..+1 group Administrators
label-Verified = -1..+1 group Project Owners
label-Verified = -1..+1 group Registered Users
revert = group Administrators
[access "refs/meta/version"]
read = group Administrators
read = group Anonymous Users
read = group Project Owners
read = group Registered Users
[access "refs/tags/*"]
create = group Administrators
create = group Project Owners
createSignedTag = group Administrators
createSignedTag = group Project Owners
createTag = group Administrators
createTag = group Project Owners
[label "Code-Review"]
function = MaxWithBlock
defaultValue = 0
value = -2 This shall not be submitted
value = -1 I would prefer this is not submitted as is
value = 0 No score
value = +1 Looks good to me, but someone else must approve
value = +2 Looks good to me, approved
copyCondition = changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN
[label "Verified"]
function = MaxWithBlock
value = -1 Fails
value = 0 No score
value = +1 Verified
copyCondition = changekind:NO_CHANGE OR changekind:NO_CODE_CHANGE
defaultValue = 0
[access "refs/for/refs/heads/master"]
create = group test - master
push = group test - master
[capability]
administrateServer = group Administrators
priority = batch group Service Users
streamEvents = group Service Users
#project (project.config) :
revert = group Registered Users
submit = group Administrators
submit = group Project Owners
label-Verified = -1..+1 group Administrators
label-Verified = -1..+1 group Project Owners
label-Verified = -1..+1 group Registered Users
[access "refs/meta/config"]
exclusiveGroupPermissions = read
create = group Administrators
create = group Project Owners
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
push = group Administrators
push = group Project Owners
read = group Administrators
read = group Project Owners
read = group Registered Users
submit = group Administrators
submit = group Project Owners
label-Verified = -1..+1 group Administrators
label-Verified = -1..+1 group Project Owners
label-Verified = -1..+1 group Registered Users
revert = group Administrators
[access "refs/meta/version"]
read = group Administrators
read = group Anonymous Users
read = group Project Owners
read = group Registered Users
[access "refs/tags/*"]
create = group Administrators
create = group Project Owners
createSignedTag = group Administrators
createSignedTag = group Project Owners
createTag = group Administrators
createTag = group Project Owners
[label "Code-Review"]
function = MaxWithBlock
defaultValue = 0
value = -2 This shall not be submitted
value = -1 I would prefer this is not submitted as is
value = 0 No score
value = +1 Looks good to me, but someone else must approve
value = +2 Looks good to me, approved
copyCondition = changekind:NO_CHANGE OR changekind:TRIVIAL_REBASE OR is:MIN
[label "Verified"]
function = MaxWithBlock
value = -1 Fails
value = 0 No score
value = +1 Verified
copyCondition = changekind:NO_CHANGE OR changekind:NO_CODE_CHANGE
defaultValue = 0
[access "refs/for/refs/heads/master"]
create = group test - master
push = group test - master
[capability]
administrateServer = group Administrators
priority = batch group Service Users
streamEvents = group Service Users
#project (project.config) :
[access "refs/meta/config"]
create = group Administrators
label-Code-Review = -2..+2 group Administrators
label-Verified = -1..+1 group Administrators
push = group Administrators
read = group Administrators
revert = group Administrators
submit = group Administrators
[access "refs/for/master"]
addPatchSet = group test - master
label-Verified = -1..+1 group test - master
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
submit = group Administrators
submit = group Project Owners
push = group test - master
revert = group test - master
deleteChanges = group Administrators
create = group Administrators
label-Code-Review = -2..+2 group Administrators
label-Verified = -1..+1 group Administrators
push = group Administrators
read = group Administrators
revert = group Administrators
submit = group Administrators
[access "refs/for/master"]
addPatchSet = group test - master
label-Verified = -1..+1 group test - master
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
submit = group Administrators
submit = group Project Owners
push = group test - master
revert = group test - master
deleteChanges = group Administrators
Thanks and Regards,
Lokesh M
Björn Pedersen
Sep 14, 2023, 4:01:12 AM9/14/23
to Repo and Gerrit Discussion
Lokesh Loki schrieb am Donnerstag, 14. September 2023 um 08:38:45 UTC+2:
Hi ,I have added below in config file and it still throws the same error(! [remote rejected] HEAD -> refs/for/master(prohibited by Gerrit: not permitted: create change on refs/heads/master)error: failed to push some refs to 'ssh://<gerrit_site>:29418/<repo>').[access "refs/for/refs/heads/master"]
push = group group_namecreate = group group_namein this case also with below config when i allow registered users, push is working.[access "refs/for/refs/heads/master"]
push = group Registered UsersBut for us controlling users at branch level is top most requirement. Kindly assist me in resolving this.
For Additional info below are the project.config file used. Please suggest me If below files are correct or if anything is missing in it.All-Projects.config[project]
description = Access inherited by all other projects.
[receive]
requireContributorAgreement = false
requireSignedOffBy = false
requireChangeId = true
enableSignedPush = false
[[access "refs/for/master"]
addPatchSet = group test - master
label-Verified = -1..+1 group test - master
I suspect your group name to be the problem, don't use spaces in group names ( `test - master` vs. `test-master`), so your group is never matched.
Lokesh Loki
Sep 14, 2023, 6:14:52 AM9/14/23
to Repo and Gerrit Discussion
Thank you so much everyone!!!
It worked fine having group name without spaces with below config instead refs/for/master
[access "refs/for/refs/heads/master"]
push = group group_name
It worked fine having group name without spaces with below config instead refs/for/master
[access "refs/for/refs/heads/master"]
push = group group_name
Lokesh Loki
Sep 14, 2023, 6:21:19 AM9/14/23
to Repo and Gerrit Discussion
Hi ,
One small question , is there a way to delete unwanted groups?
Thanks and Regards,
Thanks and Regards,
Lokesh M
Reply all
Reply to author
Forward
0 new messages