Re: Setting Project Owner in Gerrit

[Shawn Pearce]

On Wed, Jun 13, 2012 at 7:14 AM, Peter Hancox <pha...@dtc.com.au> wrote:
> Is it possible to view / change the owner of a project?

Yes. Go to Admin > Projects > that project > Access. Modify (or add)
under refs/* the Owner permission to be the relevant group(s).

Project owners are those who own refs/* within that project... which
means they can modify the permissions for any reference in the
project.

[Peter Hancox]

Thanks Shawn,

How do I actually make the change?  Can it be done through the web UI?

I've only just started looking at Gerrit (and GIT for that matter). My user is the administrator and I'd already tried what you suggested but at the "All-Projects" level.  However, tried it again on a particular project but can't see any difference.

Thought I might be able to access the information by clicking on the project under the "Admin" menu.  Possibly I'm missing something simple here due to my lack of understanding?

[Shawn Pearce]

On Wed, Jun 13, 2012 at 7:33 AM, Peter Hancox <pha...@dtc.com.au> wrote:
> On Thursday, June 14, 2012 12:16:16 AM UTC+10, Shawn Pearce wrote:
>>
>> On Wed, Jun 13, 2012 at 7:14 AM, Peter Hancox <pha...@dtc.com.au> wrote:
>> > Is it possible to view / change the owner of a project?
>>
>> Yes. Go to Admin > Projects > that project > Access. Modify (or add)
>> under refs/* the Owner permission to be the relevant group(s).
>>
>> Project owners are those who own refs/* within that project... which
>> means they can modify the permissions for any reference in the
>> project.
>
>

> How do I actually make the change?  Can it be done through the web UI?

Yes.

What version of Gerrit are you running?

[Peter Hancox]

Version 2.4 deployed as a WAR file under Tomcat 7 against PostgreSQL database.

[Shawn Pearce]

On Wed, Jun 13, 2012 at 7:43 AM, Peter Hancox <pha...@dtc.com.au> wrote:
>
> Version 2.4 deployed as a WAR file under Tomcat 7 against PostgreSQL
> database.

You should be able to click the Edit button on a project's Access tab
to open the editor and modify access controls.

[Peter Hancox]

I am able to open and modify the access controls for the project and for "All-Projects".  This works as I needed to alter these before I could review and verify a change.

However, even after making the changes to access control discussed earlier, I am unclear as to where I look to see who the current owner of a project is, and how to change it to someone else?

[Martin Fick]

"Owner" is an "access control", it is an ACL category just
like "read" or "push" and you can assign it to multiple
groups:

https://gerrit-review.googlesource.com/Documentation/access-
control.html#category_owner

-Martin


--
Employee of Qualcomm Innovation Center, Inc. which is a
member of Code Aurora Forum

[Peter Hancox]

Ahhhh, just as I suspected.  A fundamental misunderstanding on my part as to how this is implemented !!!

My goal was to configure access control so that project owners and administrators could accept, verify, and submit changes with as generic a rule set as possible.  i.e., put as much as possible into "All-Projects" and ideally nothing in the ACL for individual projects.

I now have access control defined for review, verify, submit allocated to "Project Owners" in "All-Projects".  I also have "Owner" allocated to "Administrators" in "All-Projects".  However, this doesn't work unless I have "Owner" allocated to "Administrators"  for the specific project.  i.e., everything appears to work as I thought it would (based on my new understanding), however, the "Owner" access control doesn't appear to be inheritable from "All-Projects"?

 

[Shawn Pearce]

On Wed, Jun 13, 2012 at 5:17 PM, Peter Hancox <pha...@dtc.com.au> wrote:
>
> My goal was to configure access control so that project owners and
> administrators could accept, verify, and submit changes with as generic a
> rule set as possible.  i.e., put as much as possible into "All-Projects" and
> ideally nothing in the ACL for individual projects.
>
> I now have access control defined for review, verify, submit allocated to
> "Project Owners" in "All-Projects".  I also have "Owner" allocated to
> "Administrators" in "All-Projects".  However, this doesn't work unless I
> have "Owner" allocated to "Administrators"  for the specific project.  i.e.,
> everything appears to work as I thought it would (based on my new
> understanding), however, the "Owner" access control doesn't appear to be
> inheritable from "All-Projects"?

Correct.

You can work around this by making a new permissions only project
named e.g. "Everything", put your Owner there, and then update the
parents for the relevant projects to be Everything using the
set-parent command over SSH.

[Peter Hancox]

Is the fact that "Owner" access control doesn't inherit from "All-Projects" a bug or intended to be that way?

It's no great hassle for me to implement your proposed work around or to just set it on each project as I already have.  In reality I have less than half a dozen projects to deal with.  Just wanted to understand how this is meant to work.

Thanks very much for your time on explaining things.

[Shawn Pearce]

On Wed, Jun 13, 2012 at 5:42 PM, Peter Hancox <pha...@dtc.com.au> wrote:
>
> Is the fact that "Owner" access control doesn't inherit from "All-Projects"
> a bug or intended to be that way?

Its intended to be this way.

If you are owner on a project, you can edit that project's access controls.

The All-Projects project not only defines its own access controls, but
it defines the access controls for the entire server. If you have
owner on All-Projects, you are a de-factor Administrator because you
can edit the access controls to determine what makes an Administrator.
So having Owner in All-Projects makes you an Administrator, perhaps
without the Administrators of the server realizing they have made you
an Administrator...

To prevent this the server ignores Owner permissions in All-Projects.

:-)

[Peter Hancox]

Thought it might have been something like that.

Once again, many thanks for your assistance in boosting my understanding of how this all hangs together.

REGARDS
Peter