Hey,
In a corporate setup, I’d like to grant all registered users read access to all users, /except/ for all users in the “External Users” group, which should only have read on repositories where explicitly allowed. Is this possible at all with the current mechanisms? What would be necessary to implement this if not?
Any hints appreciated…
Cheers,
Markus
--
Mit freundlichen Grüßen / Best regards
Markus Duft | Software Architect
SSI SCHÄFER | SSI Schäfer IT Solutions GmbH | Friesachstraße 15 | 8114 Friesach bei Graz | Austria
Phone +43 3127 200-575 | Fax +43 3127 200-22
Website | Blog | YouTube | Facebook
Hey,
Hmm, I can’t seem to get that to work. I also looked in the docs but cannot find any example. Note that I want to grant read to Registered Users globally (so on All-Projects), and at the same time deny read for External Users. This does not work as the ALLOW rule on Registered Users also matches the External Users….
Cheers,
Markus
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Any permission pros here?
Even with this, the user in the External Users group can see all projects:
[access "refs/*"]
read = group Non-Interactive Users
read = group Registered Users
read = block group ou/External Users
…
exclusiveGroupPermissions = read
Any hints. I get the feeling that this is not possible (which would be bad L). In this case – any hints if there are possibilities to put this into a custom plugin?
Cheers,
Markus
Hm,
I already have this actually:
All-Projects
products/All-Projects
infrastructure/All-Projects
projects/All-Projects
automation/All-Projects
I can block access for external user on all but automation/All-Projects. In there I would like to give members of External Users read permission individually (singleusergroup) per project. We have potentially hundreds of external users which are only allowed to see a single project while they are hired to work on this. automation/All-Projects should still allow any other (non External Users) user read permission somehow. I would like to avoid manual maintenance of all users on automation/* projects…
Cheers,
Markus
No good ideas anymore? I’m as far as thinking about a new group backend which provides a „Not-XZ“ group which is essentially „Registered Users minus XZ“. This has some other limitations though…
Hey,
Current issue is:
· Assume we have Registered Users which come from multiple domains, with a lot of different non-uniform groups. Usually, all of those users are employees which should be able to see and manipulate all of our repositories
· Then there is the External Users group which contains a manually maintained set of Users which should NOT be able to see any repositories, except those they have been manually granted access for.
I’d like to setup top-level default access rights which would accomplish the above. Grant read/push to Registered Users, but NOT to External Users, thus “grant read/push to group (Registered Users MINUS External Users)”.
Regards,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Monday, March 12, 2018 6:22 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus,
It seems that your latest requirement (" I would like to give members of External Users read permission individually (singleusergroup) per project") is different from "Registered Users minus XZ".
What's your current issue?
Markus Duft於 2018年3月12日星期一 UTC+8下午5時22分17秒寫道:
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Thanks a lot, this does the trick J Just need an additional intermediate extra project…
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Tuesday, March 13, 2018 10:01 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Oh no. Chimed too soon :D I have this setup:
All-Projects -> allow read for all
+ All-Projects-Ext -> block for External Users
+-- projects/XY -> allow read for group XY-Devs, owner: XY-Owners
Now when I put a user who is in the External Users group into the XY-Devs group as well, he still does not see the project. Also setting exclusive on the XY read permission for XY-Devs does not make the project visible..
Adding the user to the groups XY-Owners makes the project (and only this project) visible to the user, which would be what I want – I just don’t want External Users with restricted rights to be owners L Any permission I miss which must be given (except read)?
Cheers,
Markus
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hey,
Sorry, I don’t get which block and which allow I should put in XY?
Registered Users: A, B, C
External Users: A, B
All-Projects -> allow read for Registered Users
+- All-Projects-Ext -> block for External Users
+-- projects/XY -> Allow for User A
+-- projects/YZ -> Allow for User B
+-- projects/ZZ -> No extra ACLs
projects/XY shall be visible for A and C
projects/YZ shall be visible for B and C
projects/ZZ shall be visible for C only (not an External User).
I hope that clarifies a little more?
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Wednesday, March 14, 2018 7:20 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Put both block & allow in projects/XY, don't use All-Projects-Ext.
Markus Duft於 2018年3月13日星期二 UTC+8下午7時45分43秒寫道:
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hey,
Thanks for the clarification; this now does no longer what I wanted to achieve in the first place J I would like to allow read for all but External Users on as top-level as possible to avoid having ACLs per project in the default case… L
Cheers,
Markus
From: repo-d...@googlegroups.com [mailto:repo-d...@googlegroups.com]
On Behalf Of Eric Tsai
Sent: Wednesday, March 14, 2018 4:10 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject: Re: Gerrit exlude a group in ACLs
Hi Markus,
Markus Duft於 2018年3月14日星期三 UTC+8下午4時18分39秒寫道:
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email repo-discus...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
SSI Schäfer IT Solutions GmbH | Friesachstrasse 15 | 8114 Friesach | Austria
Registered Office: Friesach | Commercial Register: 49324 K | VAT no. ATU28654300
Commercial Court: Landesgericht für Zivilrechtssachen Graz
--
--
To unsubscribe, email
repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
The 'BLOCK' rule blocks a permission globally. An inherited 'BLOCK' rule cannot be overridden in the inheriting project. Any 'ALLOW' rule, from a different access section or from an inheriting project, which conflicts with an inherited 'BLOCK' rule will not be honored.
Markus Duft於 2018年3月14日星期三 UTC+8下午4時18分39秒寫道:
--
--