Gerrit ACL Deny git push origin
43 views
Skip to first unread message
Sebastian Auditore
Jun 16, 2025, 11:05:03 PM6/16/25
to Repo and Gerrit Discussion
Hi,
I have a question on the DENY action. I have following ACL for Project A.
[access]
inheritFrom = All-Projects
[submit]
action = inherit
[access "refs/*"]
owner = group manager
create = group CI Builder
read = group developers
abandon = group developers
addPatchSet = group developers
forgeAuthor = group developers
label-Code-Review = -2..+2 group developers
push = group developers
rebase = group developers
removeReviewer = group developers
revert = group developers
submit = group Change Owner
[access "refs/heads/*"]
push = deny group Administrators
push = deny group developers
inheritFrom = All-Projects
[submit]
action = inherit
[access "refs/*"]
owner = group manager
create = group CI Builder
read = group developers
abandon = group developers
addPatchSet = group developers
forgeAuthor = group developers
label-Code-Review = -2..+2 group developers
push = group developers
rebase = group developers
removeReviewer = group developers
revert = group developers
submit = group Change Owner
[access "refs/heads/*"]
push = deny group Administrators
push = deny group developers
When a user belongs to group developers has local master branch, he can submit the code with command "git push origin" which bypass the code review process and merged into the master branch directly.
The rules are ordered from specific ref patterns to general patterns, and for equally specific patterns, from originating project up to All-Projects. [1]
Since I have a DENY push for /ref/heads/*, the user still able to perform "git push origin". If I toggle the Exclusive option, then user cannot perform the action anymore.
luca.mi...@gmail.com
Jun 17, 2025, 5:05:22 AM6/17/25
to Repo and Gerrit Discussion
I have a question on the DENY action.
I did not find any question mark in your post: can you elaborate your question?
Luca
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/2f4c8607-a63f-4c26-ac90-27a270f7f190n%40googlegroups.com.
Sebastian Auditore
Jun 17, 2025, 5:15:17 AM6/17/25
to Repo and Gerrit Discussion
On Tuesday, June 17, 2025 at 5:05:22 PM UTC+8 luca.mi...@gmail.com wrote:
Hi Khailoon,
On 17 Jun 2025, at 04:05, Sebastian Auditore wrote:Hi,
I have a question on the DENY action.I did not find any question mark in your post: can you elaborate your question?Luca
Hi Luca,
When a user belongs to group developers has local master branch, he can submit the code with command "git push origin" which bypass the code review process and merged into the origin master branch directly.
Since I have a DENY push for /ref/heads/*, why the user still able to perform "git push origin".
Seb
Sven Selberg
Jun 17, 2025, 5:18:56 AM6/17/25
to Repo and Gerrit Discussion
Quote from the documentation:
"DENY is confusing because it only works on a specific (ref-pattern, group) pair.
The parent project can undo the effect of a DENY rule by introducing an extra rule which features a more general ref pattern or a different group."
"DENY is confusing because it only works on a specific (ref-pattern, group) pair.
The parent project can undo the effect of a DENY rule by introducing an extra rule which features a more general ref pattern or a different group."
https://gerrit-review.googlesource.com/Documentation/access-control.html#_ref_permissions
If you want to block a permission the general recommendation is to use BLOCK or BLOCK/ALLOW instead:
https://gerrit-review.googlesource.com/Documentation/access-control.html#__block_and_allow_rules_in_the_same_access_section
If you want to block a permission the general recommendation is to use BLOCK or BLOCK/ALLOW instead:
https://gerrit-review.googlesource.com/Documentation/access-control.html#__block_and_allow_rules_in_the_same_access_section
Sebastian Auditore
Jun 17, 2025, 5:25:43 AM6/17/25
to Repo and Gerrit Discussion
On Tuesday, June 17, 2025 at 5:18:56 PM UTC+8 Sven Selberg wrote:
On Tuesday, June 17, 2025 at 11:05:22 AM UTC+2 luca.mi...@gmail.com wrote:
Hi Khailoon,
Hi Sven,
I read this statement too. But it mentioned the parent project can undo the effect of DENY. But I am setting the DENY in the same project.
[access "refs/*"]
push = group developers
[access "refs/heads/*"]
push = deny group Administrators
push = deny group developers
While I have this in the ALL-Project,
[access "refs/heads/*"]
push = allow group CI
push = deny group Registered Users
push = allow group CI
push = deny group Registered Users
Seb
Sven Selberg
Jun 17, 2025, 5:41:06 AM6/17/25
to Repo and Gerrit Discussion
First of all you are opening up for a plethora of corner-cases and user-errors by allowing push on "refs/*" (one example is a user who claimed that Gerrit lost the branch he pushed, he pushed to a ref outside git and Gerrit ref-space "refs/head/master".
I would recommend that you limit this to "refs/heads/*".
I would recommend that you limit this to "refs/heads/*".
I don't fully understand DENY (since I have opted out of using it), but I belive this statement overrides the DENY on "refs/heads/*" as it isn't he exact same ref-pattern.
Luca Milanesio
Jun 17, 2025, 5:50:07 AM6/17/25
to Repo and Gerrit Discussion, Luca Milanesio
I was about to ask why you want to use a non-exclusive DENY rule and not a BLOCK?
The DENY can be overridden, in the same project or in a different project.
In your case, you have the permission to push to ‘refs/*’ therefore it is overridden.
If you set *exclusive* then it means that rule has priority for that group.
[access "refs/*"]push = group developersFirst of all you are opening up for a plethora of corner-cases and user-errors by allowing push on "refs/*" (one example is a user who claimed that Gerrit lost the branch he pushed, he pushed to a ref outside git and Gerrit ref-space "refs/head/master".
I would recommend that you limit this to "refs/heads/*".I don't fully understand DENY (since I have opted out of using it), but I belive this statement overrides the DENY on "refs/heads/*" as it isn't he exact same ref-pattern.
Exactly, what’s your answer?
Luca.
[access "refs/heads/*"]push = deny group Administratorspush = deny group developersWhile I have this in the ALL-Project,[access "refs/heads/*"]
push = allow group CI
push = deny group Registered UsersSeb--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/2f4c8607-a63f-4c26-ac90-27a270f7f190n%40googlegroups.com.--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/353c6c73-fd9c-4737-8c0e-40dc376a5684n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages