diff options
Diffstat (limited to 'baserock_gerrit/gerrit-access-config.yml')
-rw-r--r-- | baserock_gerrit/gerrit-access-config.yml | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml new file mode 100644 index 00000000..cb8c4fea --- /dev/null +++ b/baserock_gerrit/gerrit-access-config.yml @@ -0,0 +1,159 @@ +# Baserock Gerrit access controls, and predefined users, groups and projects. +# +# This Ansible playbook requires the ansible-gerrit modules: +# +# https://www.github.com/ssssam/ansible-gerrit +# +# These modules depend on pygerrit: +# +# https://www.github.com/sonyxperiadev/pygerrit/ +# +# If you want to change the configuration, just edit this script and rerun it, +# as described in the README. +# +# This script currently doesn't handle committing changes to the access control +# rules for the 'All-Projects' project. To set up or modify the access control +# rules, you'll need to manually commit project.config (in the All-Projects +# subdirectory) to the 'refs/meta/config' ref of the All-Projects repo in +# Gerrit. The 'groups' file will need to list all the groups referenced in +# project.config. This script will add the UUIDs of all groups listed below +# to the All-Projects/groups file, so you don't have to create it manually. +--- +- hosts: localhost + tasks: + # System groups: + # - Anonymous Users + # - Change Owner + # - Project Owners + # - Registered Users + + # Prefined groups: + # - Administrators + # - Non-Interactive Users + + - gerrit_group: + name: Administrators + register: administrators_group + + - gerrit_group: + name: Non-Interactive Users + register: non_interactive_users_group + + # The 'owner' of a group defines who can modify that group. Users + # who are in the 'owner' group for a group 'Groupies' can add and remove + # people (and other groups) from 'Groupies' and can change the name, + # description and owner of 'Groupies.' Since we don't want the + # names, descriptions or owners of these predefined groups being + # changed, they are all left owned by the Administrators group. + + - gerrit_group: + name: Developers + description: Registered users who choose to submit changes for consideration. + owner: Administrators + included_groups: + - Registered Users + register: developers_group + + # Right now all Mergers are in the Release Team by default. + - gerrit_group: + name: Release Team + description: Developers who can tag releases + owner: Administrators + included_groups: + - Mergers + register: release_team_group + + - gerrit_group: + name: Mergers + description: Developers who can trigger the actual merging of a change. + owner: Administrators + register: mergers_group + + - gerrit_group: + name: Mirroring Tools + description: Programs that pull changes from external repositories into Gerrit's Git server + owner: Administrators + register: mirroring_tools_group + + - gerrit_group: + name: Reviewers + description: Registered users who choose to give +1 / -1 reviews to proposed changes. + owner: Administrators + included_groups: + - Registered Users + register: reviewers_group + + - gerrit_group: + name: Testers + description: Testers that can give +1 / -1 Verified to proposed changes. + owner: Administrators + register: testers_group + + # Non-interactive accounts. + + - gerrit_account: + username: firehose + fullname: Firehose integration bot + email: firehose@baserock.org + groups: + - Non-Interactive Users + - Developers + #ssh_key: xx + + - gerrit_account: + username: lorry + fullname: Lorry mirroring service + email: lorry@baserock.org + groups: + - Mirroring Tools + - Non-Interactive Users + # FIXME: ansible-gerrit module should be able to handle a filename + # here, instead of needing this hack to read the contents. + ssh_key: "{{ lookup('file', '../keys/lorry-gerrit.key.pub') }}" + + - gerrit_account: + username: mason + fullname: Mason automated tester + email: mason@baserock.org + groups: + - Non-Interactive Users + - Testers + #ssh_key: xx + + # It'd make more sense to do this in the mirroring-config.yml file, but + # then the admin would need to supply their Gerrit credentials to that + # playbook too (which is more tricky, because it doesn't run on + # 'localhost'). + - name: repo to hold Lorry Controller mirroring configuration + gerrit_project: + name: local-config/lorries + description: Configuration for Lorry for mirroring from Trove + + - name: create 'groups' mapping required by Gerrit + lineinfile: + create: yes + dest: All-Projects/groups + line: "{{ item.group_info.id }}\t{{ item.group_info.name }}" + with_items: + - "{{ administrators_group }}" + - "{{ non_interactive_users_group }}" + - "{{ developers_group }}" + - "{{ mergers_group }}" + - "{{ mirroring_tools_group }}" + - "{{ release_team_group }}" + - "{{ reviewers_group }}" + - "{{ testers_group }}" + + - name: push access configuration for all repos + git_commit_and_push: + repo: "{{ ansible_env.GERRIT_ADMIN_REPO }}" + ref: refs/meta/config + files: + - ./All-Projects/groups + - ./All-Projects/project.config + strip_path_components: 1 + commit_message: | + Update global project access control rules. + + This commit was made by an Ansible playbook living in + git://git.baserock.org/baserock/baserock/infrastructure. |