diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-05 17:42:21 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-13 15:09:27 +0000 |
commit | 127f1f682b972b02df424e0f710bbb85224e781a (patch) | |
tree | 3842461557245dc07e89c560b799263c74659d8d | |
parent | 50f602fe6b12943a3847fb1925b1e5cb554bed97 (diff) | |
download | infrastructure-127f1f682b972b02df424e0f710bbb85224e781a.tar.gz |
gerrit: Add initial access control rules
These are implemented mostly using an Ansible playbook built on these
Ansible Gerrit modules I wrote: https://github.com/ssssam/ansible-gerrit
-rw-r--r-- | README.mdwn | 36 | ||||
-rw-r--r-- | baserock_gerrit/All-Projects/groups | 8 | ||||
-rw-r--r-- | baserock_gerrit/All-Projects/project.config | 101 | ||||
-rw-r--r-- | baserock_gerrit/gerrit-access-config.yml | 141 |
4 files changed, 286 insertions, 0 deletions
diff --git a/README.mdwn b/README.mdwn index c4a23628..6d9bfa61 100644 --- a/README.mdwn +++ b/README.mdwn @@ -232,6 +232,42 @@ Administrators group. You can add more users into the Administrators group later on using the [gerrit set-members] command, or the web interface. +Go to the settings page, 'HTTP Password' and generate a HTTP password for +yourself. You'll need it in the next step. The password can take a long time to +appear for some reason, or it might not work at all. Click off the page and +come back to it and it might suddenly have appeared. I've not investigated why +this happens. + +#### Access control rules + +Now set up the Gerrit access configuration. You'll need to have cloned +<https://github.com/ssssam/ansible-gerrit> alongside infrastructure.git, and ran +`make` in that directory. You'll also need 'pygerrit' installed somewhere +Python can find it. + + export GERRIT_URL=http://gerrit.baserock.org + export GERRIT_ADMIN_USERNAME=your username + export GERRIT_ADMIN_PASSWORD=your generated HTTP password + + ANSIBLE_LIBRARY=../ansible-gerrit \ + ansible-playbook baserock_gerrit/gerrit-access-config.yml + +As well as creating all the groups and initial users in the new Gerrit +instance, Ansible should update the file baserock_gerrit/All-Projects/groups, +which will be needed in the next step. + + git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/All-Projects.git /tmp/All-Projects + cp -a baserock_gerrit/All-Projects/* /tmp/All-Projects + cd /tmp/All-Projects + git checkout -b config + git commit -a -m "Set up initial access controls." + git push origin config:refs/meta/config + cd - + +#### Mirroring + +TO DO: link to document on setting up mirroring. + [gerrit set-members]: https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/cmd-set-members.html ### Storyboard diff --git a/baserock_gerrit/All-Projects/groups b/baserock_gerrit/All-Projects/groups new file mode 100644 index 00000000..f0d26cc9 --- /dev/null +++ b/baserock_gerrit/All-Projects/groups @@ -0,0 +1,8 @@ +# UUID Group Name +# +global:Anonymous-Users Anonymous Users +global:Project-Owners Project Owners +global:Registered-Users Registered Users + +# This file is filled in with the other group IDs by the +# gerrit-access-config.yml Ansible playbook. diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config new file mode 100644 index 00000000..6fc2d815 --- /dev/null +++ b/baserock_gerrit/All-Projects/project.config @@ -0,0 +1,101 @@ +# Top-level access controls for projects on Baserock Gerrit. + +# These can be overridden by a project's own project.config file. They are also +# overridden by the config of a project's parent repo, if it is set to something +# other than the default parent project 'All-Projects'. + +# Useful references: +# +# https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html +# https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst + +[project] + description = Access inherited by all other projects. + +[receive] + requireContributorAgreement = false + requireSignedOffBy = false + requireChangeId = true + +[submit] + mergeContent = true + +[capability] + administrateServer = group Administrators + priority = batch group Non-Interactive Users + streamEvents = group Non-Interactive Users + + createProject = group Mirroring Tools + +# Everyone can read everything. +[access "refs/*"] + read = group Administrators + read = group Anonymous Users + + +# Developers can propose changes. All 'Registered Users' are 'Developers'. +[access "refs/for/refs/*"] + push = group Developers + pushMerge = group Developers + + +[access "refs/heads/*"] + forgeAuthor = group Developers + rebase = group Developers + label-Code-Review = -2..+2 group Mergers + submit = group Mergers + label-Code-Review = -1..+1 group Reviewers + label-Verified = -1..+1 group Testers + + create = group Administrators + forgeCommitter = group Administrators + push = group Administrators + create = group Project Owners + forgeCommitter = group Project Owners + push = group Project Owners + + create = group Mirroring Tools + forgeAuthor = group Mirroring Tools + forgeCommitter = group Mirroring Tools + push = +force group Mirroring Tools + +[access "refs/tags/*"] + pushTag = group Release Team + pushSignedTag = group Release Team + + pushTag = group Administrators + pushSignedTag = group Administrators + pushTag = group Project Owners + pushSignedTag = group Project Owners + + create = group Mirroring Tools + push = +force group Mirroring Tools + pushTag = +force group Mirroring Tools + pushSignedTag = +force group Mirroring Tools + + +# Changing project configuration is allowed for Administrators only. (In theory +# anyone who owns a project can change its permissions, but right now all +# projects should be owned by the Administrators group). +[access "refs/meta/config"] + exclusiveGroupPermissions = read + + read = group Administrators + push = group Administrators + read = group Project Owners + push = group Project Owners + +[label "Code-Review"] + function = MaxWithBlock + copyMinScore = true + value = -2 Do not merge + value = -1 This patch needs further work before it can be merged + value = 0 No score + value = +1 Looks good to me, but someone else must approve + value = +2 Looks good to me, approved + +[label "Verified"] + function = MaxWithBlock + value = -1 Failed + value = 0 No score + value = +1 Verified diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml new file mode 100644 index 00000000..a321e421 --- /dev/null +++ b/baserock_gerrit/gerrit-access-config.yml @@ -0,0 +1,141 @@ +# Baserock Gerrit access controls, and predefined users, groups and projects. +# +# This Ansible playbook requires the ansible-gerrit modules: +# +# https://www.github.com/ssssam/ansible-gerrit +# +# These modules depend on pygerrit: +# +# https://www.github.com/sonyxperiadev/pygerrit/ + +# - +- hosts: localhost + tasks: + # System groups: + # - Anonymous Users + # - Change Owner + # - Project Owners + # - Registered Users + + # Prefined groups: + # - Administrators + # - Non-Interactive Users + + - gerrit_group: + name: Administrators + register: administrators_group + + - gerrit_group: + name: Non-Interactive Users + register: non_interactive_users_group + + # The 'owner' of a group defines who can modify that group. Users + # who are in the 'owner' group for a group 'Groupies' can add and remove + # people (and other groups) from 'Groupies' and can change the name, + # description and owner of 'Groupies.' Since we don't want the + # names, descriptions or owners of these predefined groups being + # changed, they are all left owned by the Administrators group. + + - gerrit_group: + name: Developers + description: Registered users who choose to submit changes for consideration. + owner: Administrators + included_groups: + - Registered Users + register: developers_group + + # Right now all Mergers are in the Release Team by default. + - gerrit_group: + name: Release Team + description: Developers who can tag releases + owner: Administrators + register: release_team_group + + - gerrit_group: + name: Mergers + description: Developers who can trigger the actual merging of a change. + owner: Administrators + included_groups: + - Release Team + register: mergers_group + + - gerrit_group: + name: Mirroring Tools + description: Programs that pull changes from external repositories into Gerrit's Git server + owner: Administrators + register: mirroring_tools_group + + - gerrit_group: + name: Reviewers + description: Registered users who choose to give +1 / -1 reviews to proposed changes. + owner: Administrators + included_groups: + - Registered Users + register: reviewers_group + + - gerrit_group: + name: Testers + description: Testers that can give +1 / -1 Verified to proposed changes. + owner: Administrators + register: testers_group + + # Non-interactive accounts. + + - gerrit_account: + username: firehose + fullname: Firehose integration bot + email: firehose@baserock.org + groups: + - Non-Interactive Users + - Developers + #ssh_key: xx + + - gerrit_account: + username: lorry + fullname: Lorry mirroring service + email: lorry@baserock.org + groups: + - Mirroring Tools + - Non-Interactive Users + #ssh_key: xx + + - gerrit_account: + username: mason + fullname: Mason automated tester + email: mason@baserock.org + groups: + - Non-Interactive Users + - Testers + #ssh_key: xx + + - name: create 'groups' mapping required by Gerrit + lineinfile: + create: yes + dest: All-Projects/groups + line: "{{ item.group_info.id }}\t{{ item.group_info.name }}" + with_items: + - "{{ administrators_group }}" + - "{{ non_interactive_users_group }}" + - "{{ developers_group }}" + - "{{ mergers_group }}" + - "{{ mirroring_tools_group }}" + - "{{ release_team_group }}" + - "{{ reviewers_group }}" + - "{{ testers_group }}" + + +# it'd be nice if this module existed... but it doesn't right now. You'll have +# to commit the files manually. +# +# - name: push access configuration for all repos +# git_commit_in_branch: +# repo: ssh://{{ env.GERRIT_ADMIN_USERNAME }}@{{ env.GERRIT_URL}}:29418/All-Projects +# ref: refs/meta/config +# source: All-Projects +# committer_name: Baserock Gerrit configuration scripts +# committer_email: admin@baserock.org +# commit_message: > +# Update global configuration. +# +# This commit was made by an Ansible playbook living in +# git://git.baserock.org/baserock/baserock/infrastructure. |