We recently had a requirement that builds of a particular package should only be managed by package owners (owner derived from the [package,tag] pair) (Just to clear any possible confusion, I do NOT mean the build owner, but the package owner)
Initially, I had assumed that only package owners can schedule builds of their package, but a quick look at the code yielded nothing to prove the assumption. So, I created a random user and verified that he can build and tag packages.
Then, I looked at whether I can write a policy to this effect. But, none of the tests that were already there seemed to provide the functionality. So, I hacked up a patch to add a test.
With this patch in place, I can add a like "is_package_owner :: allow" to allow only package owners to build. the policy spec in my /etc/koji-hub/hub.conf looks like this now: tag = has_perm admin :: allow is_package_owner :: allow all :: deny
Do let me know whether it is sane and makes sense. (The patch is NOT taken against the git HEAD, but it should apply easily with some fuzz)
Jitesh
From f10b458131c5a1aa75f97e2cb458051630918f04 Mon Sep 17 00:00:00 2001
From: Jitesh Shah jiteshs@marvell.com Date: Wed, 28 Oct 2009 17:20:01 +0530 Subject: [PATCH] Add own policy spec
Signed-off-by: Jitesh Shah jiteshs@marvell.com --- hub/kojihub.py | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/hub/kojihub.py b/hub/kojihub.py index a281b5e..ef1c364 100644 --- a/hub/kojihub.py +++ b/hub/kojihub.py @@ -4443,6 +4443,26 @@ class IsBuildOwnerTest(koji.policy.BaseSimpleTest): #otherwise... return False
+class IsPackageOwnerTest(koji.policy.BaseSimpleTest): + """Check if user owns the build""" + name = "is_package_owner" + def run(self, data): + build = get_build(data['build']) + pkg_id = get_package_id(koji.parse_NVR(build['nvr'])['name'], strict=True) + tag = get_tag(data['tag']) + pkgs = readPackageList(tagID=tag['id'], pkgID=pkg_id, inherit=True) + owner_id = pkgs.get(pkg_id,None)['owner_id'] + owner = get_user(owner_id) + user = get_user(data['user_id']) + if owner_id == user['id']: + return True + if owner['usertype'] == koji.USERTYPES['GROUP']: + # owner is a group, check to see if user is a member + if owner['id'] in koji.auth.get_user_groups(user['id']): + return True + #otherwise... + return False + class UserInGroupTest(koji.policy.BaseSimpleTest): """Check if user is in group(s)
buildsys@lists.fedoraproject.org