Why my exclusive access does not work.
500 views
Skip to first unread message
Yingchun Li
Jun 9, 2021, 4:14:24 AM6/9/21
to Repo and Gerrit Discussion
Hi,
I have a project(named it project A) and inherit config from All-projects.
I would allow a specific group (named topic) create branches in the special
domain refs/heads/tp/$(username)/, and the branches can only be read/review/submit
with this special group, following is my config:
project A:
...
[access "refs/heads/tp/${username}/*"]
exclusiveGroupPermissions = create delete label-Code-Review read submit
create = group topic
forgeCommitter = group topic
label-Code-Review = -2..+2 group topic
read = group bt-topic submit = group topic
[access "refs/heads/tp/${username}/*"]
exclusiveGroupPermissions = create delete label-Code-Review read submit
create = group topic
forgeCommitter = group topic
label-Code-Review = -2..+2 group topic
read = group bt-topic submit = group topic
...
project All-projects:
...
[access "refs/*"]
read = group Administrators
read = group Registered Users
read = group Service Users
revert = group Registered Users
create = group Administrators
[access "refs/*"]
read = group Administrators
read = group Registered Users
read = group Service Users
revert = group Registered Users
create = group Administrators
[access "refs/for/*"]
addPatchSet = group Registered Users
[access "refs/for/refs/*"]
push = group Registered Users
pushMerge = group Registered Users
abandon = group bt-developlers
[access "refs/heads/*"]
create = group Administrators
create = group Project Owners
editTopicName = +force group Administrators
editTopicName = +force group Project Owners
forgeAuthor = group Registered Users
forgeCommitter = group Administrators
forgeCommitter = group Project Owners
label-Code-Review = -2..+2 group Administrators
label-Code-Review = -2..+2 group Project Owners
label-Code-Review = -1..+1 group Registered Users
label-Code-Review = -1..+1 group Service Users
push = +force group Administrators
push = group Project Owners
submit = group Administrators submit = group Project Owners
...
My problem is normal user (named foo)who is not belonged to group topic can read the branches refs/heads/tp/${username}/*.
git clone ssh://foo@my-server:29418/project-A
git branch -r
shows like:
...
remotes/origin/tp/bar/branch_A
remotes/origin/tp/baz/branch_B
...
I have used the 'Exclusive' flag, but it cannot work, please give me some advice.
My gerrit version is 3.3.0.
Br,
Yingchun
Sven Selberg
Jun 9, 2021, 5:21:06 AM6/9/21
to Repo and Gerrit Discussion
Use Allow & Block in the same access section [1] instead of exclusive group permissions and you only need to block "read" since you need read for every other action.
[access "^refs/heads/tp/${username}/*"]
read = group bt-topic
read = block group Registered Users
create = group topic
forgeCommitter = group topic
label-Code-Review = -2..+2 group topic
submit = group topic
Yingchun Li
Jun 9, 2021, 6:38:18 AM6/9/21
to Repo and Gerrit Discussion
Thank you Sven,
Have changed the setting according to your guide, but with no luck. after
the foo user clone, and git branch -r, it still show the branches in origin/tp/bar/xxx
following is the whole config:
...
[access]
inheritFrom = All-Projects
[submit]
action = rebase if necessary
[project]
description = software
[access "refs/*"]
owner = group bt-admin
[access "refs/for/refs/*"]
label-Code-Review = -2..+2 group developlers
[access "refs/heads/*"]
label-Code-Review = -2..+2 group developlers
submit = group bt-developlers
[receive]
createNewChangeForAllNotInTarget = false
[access "refs/tags/*"]
delete = group admin
[access "^refs/heads/tp/${username}/*"]
read = group topic
read = block group Registered Users
create = group topic
forgeCommitter = group topic
label-Code-Review = -2..+2 group topic
submit = group topic
...
The user foo is a member of developers.
According the section [1], it says:
"
When an access section of a project contains a 'BLOCK' and an 'ALLOW' rule for the same permission then this 'ALLOW' rule overrides the 'BLOCK' rule:
"
Seems the block is useless.
Another strange things is when I search the branch in the .git/, there is only master branch
in the refs/heads/, no other branch, if I grep the branch, it show in the objects/pack/pack-xxxx.
following is log:
jenkins@buildserver:~/temp/mcu-sw$ tree .git
.git
[1] https://gerrit-review.googlesource.com/Documentation/access-control.html#__block_and_allow_rules_in_the_same_access_section
├── branches
├── config
├── description
├── HEAD
├── hooks
│ ├── applypatch-msg.sample
│ ├── commit-msg.sample
│ ├── fsmonitor-watchman.sample
│ ├── post-update.sample
│ ├── pre-applypatch.sample
│ ├── pre-commit.sample
│ ├── pre-merge-commit.sample
│ ├── prepare-commit-msg.sample
│ ├── pre-push.sample
│ ├── pre-rebase.sample
│ ├── pre-receive.sample
│ └── update.sample
├── index
├── info
│ └── exclude
├── logs
│ ├── HEAD
│ └── refs
│ ├── heads
│ │ └── master
│ └── remotes
│ └── origin
│ └── HEAD
├── objects
│ ├── info
│ └── pack
│ ├── pack-aedcab917f2dd033ffe775d668c0e49d682a6262.idx
│ └── pack-aedcab917f2dd033ffe775d668c0e49d682a6262.pack
├── packed-refs
└── refs
├── heads
│ └── master
├── remotes
│ └── origin
│ └── HEAD
└── tags
Sven Selberg
Jun 9, 2021, 6:47:05 AM6/9/21
to Repo and Gerrit Discussion
On Wednesday, June 9, 2021 at 12:38:18 PM UTC+2 sword.l...@gmail.com wrote:
Thank you Sven,Have changed the setting according to your guide, but with no luck. afterthe foo user clone, and git branch -r, it still show the branches in origin/tp/bar/xxx
Yes, sorry, my bad. I didn't realize the ${username} substitution, it just blocks user "foo" from seing tp/foo/somehting if foo is not a member of group topic.
You'll need two rules, one to block read and one to allow all other rules. Something similar to (untested):
[access "^refs/heads/tp/.*/.*"]
read = group topic
read = block group Registered Users
[access "^refs/heads/tp/${username}/*"]
Yingchun Li
Jun 9, 2021, 9:28:30 AM6/9/21
to Repo and Gerrit Discussion
Used the two rules, but still can not work, need more digging. Thanks anyway.
Yingchun Li
Jun 10, 2021, 3:23:57 AM6/10/21
to Repo and Gerrit Discussion
Hi, Sven
read = group bt-topic
read = block group Registered Users
Finally it works, the setting just as your post:
...
[access "^refs/heads/tp/.*/.*"]
[access "^refs/heads/tp/.*/.*"]
read = group bt-topic
read = block group Registered Users
[access "^refs/heads/tp/${username}/*"]
create = group bt-topic
forgeCommitter = group bt-topic
label-Code-Review = -2..+2 group bt-topic submit = group bt-topic
create = group bt-topic
forgeCommitter = group bt-topic
label-Code-Review = -2..+2 group bt-topic submit = group bt-topic
...
seems the regulator "^refs/heads/tp/.*/.*" different with "^refs/heads/tp/*/*".
the latter cannot work.
Sven Selberg
Jun 10, 2021, 3:37:19 AM6/10/21
to Repo and Gerrit Discussion
On Thursday, June 10, 2021 at 9:23:57 AM UTC+2 sword.l...@gmail.com wrote:
Hi, SvenFinally it works, the setting just as your post:...
[access "^refs/heads/tp/.*/.*"]
read = group bt-topic
read = block group Registered Users[access "^refs/heads/tp/${username}/*"]
create = group bt-topic
forgeCommitter = group bt-topic
label-Code-Review = -2..+2 group bt-topic submit = group bt-topic...
Awesome
seems the regulator "^refs/heads/tp/.*/.*" different with "^refs/heads/tp/*/*".
Yes, access section only supports regexp, wildcard (as in begins-with) and exact match.
Yingchun Li
Jun 10, 2021, 4:04:10 AM6/10/21
to Repo and Gerrit Discussion
Thanks Sven, Why the exclusive flag can not be used in this case?
IMO, the exclusive flag is more reasonable.
Yingchun Li
Jun 19, 2021, 3:52:01 AM6/19/21
to Repo and Gerrit Discussion
Hi, Sven and other experts,
There are still two problems:
1, When I added some items in the ^refs/heads/tp/.*/.*, and then save
the config, there was an error message prompt:
"
An error occurred
Error 400 (Bad Request): com.google.gerrit.exceptions.InvalidNameException: Invalid Name: ^refs/heads/tp/.*/.*
Endpoint: /projects/*/access
"
But I can config the projects with the local configuration file project.config,
2, I cannot create/delete the specific user branch in the tp/${username}/* domain,
even I add the create/delete/push reference in the "^refs/heads/tp/${username}/*". when I push
a branch, it still says I don't have the permission, after I add the 'create/push/delete' permission
in the "^refs/heads/tp/.*/.*", I can push the branch, but I can push any branch in the
domain refs/heads/tp. e.g. refs/heads/tp/myname/test_branch, refs/heads/othername/test_branch.
here is my configs:
[access "^refs/heads/tp/.*/.*"]
create = group bt-topic
delete = group bt-topic
read = group bt-topic
read = block group Registered Users
push = group Administrators
push = group bt-admin
pushMerge = group Administrators
[access "^refs/heads/tp/${username}/*"]
create = group bt-topic
forgeCommitter = group bt-topic
label-Code-Review = -2..+2 group bt-topic
submit = group bt-topic
delete = group bt-topic
push = +force group bt-topic
Br,
Yingchun
Reply all
Reply to author
Forward
0 new messages