Re: GitLab AMA Topic Discussion: Permissions & Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 28, 2020 at 09:56:11AM -0400, Neal Gompa wrote:
> On Wed, Oct 28, 2020 at 8:57 AM Pierre-Yves Chibon <pingou@xxxxxxxxxxxx> wrote:
> >
> > On Sun, Oct 25, 2020 at 09:17:04PM +0000, Aoife Moloney wrote:
> > > Hi everyone,
> > >
> > > Thanks again for your involvement in the GitLab AMA session on IRC in
> > > September. As promised, this is the first of a 5-part series breaking
> > > down main topics that came up during the session. I will send a topic
> > > every week for discussion to both Fedora and CentOS devel lists. I
> > > have pulled the relevant questions and answers from the original
> > > hackmd doc into one email. If you would like to discuss this topic
> > > specifically, here might be a good place to do so. I dont consider
> > > myself technical enough to weigh in on details, but I am happy to
> > > facilitate as best I can via email. And more importantly (for me),
> > > learn from the discussion too.
> > >
> > > Here are some links to resources as well:
> > > * Questions and Answers hackmd link https://hackmd.io/RW8HahOeR7OJPON1dwuo3w
> > > * Chat log from session
> > > https://meetbot.fedoraproject.org/fedora-meeting-1/2020-09-10/ama_session_with_gitlab.2020-09-10-13.31.log.html
> > > * AMA Blog post
> > > https://communityblog.fedoraproject.org/gitlab-ama-follow-up/#more-9346
> > > * Here is this email in hackmd if you wish to view it there:
> > > https://hackmd.io/1pjX1cVnTjekOLVowj5UiQ?view
> > >
> > > ## Topic: Permission and Access
> > >
> > > - Question: Fedora has a group-based access system. People in the
> > > `packager` group have (commit) access to only the packages they
> > > maintain. People in the `provenpackager` group have (commit) access to
> > > all the active packages, but a few (for legal reason). People in the
> > > `releng` group have commit access to all the packages. Is this an
> > > access model that GitLab can support? If not, how would this work in a
> > > GitLab world? How would notifications work (Esp consider people in the
> > > `provenpackager` or `releng` group do not want to be notified for all
> > > the projects they have access to)?
> > >     - Answer: What I explored was something along the lines of :
> > >         - Packager → Using GitLab’s Maintainer or Developer role for
> > > the project they maintain (Maintainer have the ability to access
> > > project settings and change pretty much everything there, so that
> > > might be blocking here, Developer only have commit access, so we need
> > > another way to change some settings for Packagers)
> >
> > Considering the amount of settings we do not want packagers to change
> > (no-force-push, no-deletion, no FXX branch creation...), I agree that giving
> > maintainer access is likely not going to work for us and therefore it'll have to
> > be 'developer' access.
> >
> > >         - Co-Maintainer → Using GitLab’s Developer role (commit access)
> > >         - Proven-Packager → GitLab’s Developer role on all repo (expect 2)
> > >         - Release Engineer/Admin/etc .. → GitLab’s Owner role on all repos
> > >         - This is not an exact matching with what we currently have
> > > but should give us a way to experiment with this and look at what is
> > > acceptable or not.
> > >         - There is also a GitLab ticket
> > > (https://gitlab.com/gitlab-org/gitlab/-/issues/7626) to implement
> > > policies for the project that could give more granular control of
> > > permissions.
> >
> > So if this gets implemented, we would be able to pick and choose which settings
> > are available to developer and which are available to admins only, is that
> > correct?
> >
> 
> Maybe. I've been burned by GitLab scoping out all the actual things me
> and others ask for and building features that nobody wants and doesn't
> do enough. The Epic that replaced that issue
> (https://gitlab.com/groups/gitlab-org/-/epics/4168) seems to indicate
> that the implementation will mainly offer label and archive control
> and not much else.

So if this ticket/epic does not get us what we want, we'll need a proxy service
to add/remove users/groups to a project?
 
> > > - Question: Fedora supports the concept of a retired `project` (ie:
> > > archived) that no-one can commit to. Does GitLab have an equivalent
> > > concept? (The retired status is not something project admins can
> > > change)
> > >     - Answer: There is an option to have a “retired” group which is
> > > configured to have nobody with commit access. Then retiring a project
> > > would simply mean to move the project from the “rpm” group to
> > > “retired” group for example.
> > > There is also possibility to simply archive projects
> > > https://docs.gitlab.com/ee/user/project/settings/#archiving-a-project
> >
> > Does that mean that the URL of the project will change? (or are there redirects
> > that are automatically created?)
> > What if rpms/cockpit and container/cockpit both get retired? Can we do
> > retired/rpms/cockpit and retired/container/cockpit? Or should we do
> > retired/rpms_cockpit and retired/container_cockpit?
> >
> 
> The URL would change, there would automatically be redirects when
> projects are moved (though this is glitchy and has a few caveats).

May we assume the redirects work in both direction and clean themselves?

As in, upon retirement: rpms/cockpit -> retired/rpms/cockpit
and upon un-retirement: retired/rpms/cockpit -> rpms/cockpit (w/ the first
redirect being removed to avoid looping (been there, done that...))

> > I figure only admins can move project between groups or archive/unarchive
> > projects. That means we'll need a way for packagers to indicate their wish to
> > retire a project and then a bot to actually do it.
> >
> 
> Maintainer level and above can archive projects, since that means they
> have access to project settings. They also can move projects across
> groups that they have project creation rights (maintainer or above)
> in.

Sorry I phrased this incorrectly. It assumed that only admins have access to
maintainer level and above (based on the first section that we cannot have
packager have more than the developer level).

Thanks for pointing this out.

The point about needed automation through a proxy still stands though, no?

> > > - Question: Can project creation be restricted to a specific group of
> > > people in GitLab?
> > >     - Answer: Yes this can be configured at the instance level
> > > (https://gitlab.com/help/user/admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection)
> > > or at the group level
> > > (https://gitlab.com/help/user/group/index.md#default-project-creation-level)
> >
> > Does the instance level override the group level one? If not can group admins
> > change this setting?
> > If so, is there an access level in groups that allows to add/remove people from
> > a group without being allowed to toggle that setting?
> >
> > In other words, can we let the groups self-managed without "risking" someone
> > changing this configuration? Or do we need to figure out a process to add/remove
> > people to groups? (Like a ticketing system that is automatically process by a
> > bot)
> >
> 
> The inheritance order for most settings (in my experience) indicates
> that project settings override instance settings (as they are only
> defaults). For example, if you configure CI or issue tracking as off
> in the instance wide settings, projects can override this and turn
> them back on. Same goes for artifact archiving policies and other
> instance level settings for projects.

So another proxy needed to add/remove people from a group then I guess?

> > > - Question: Can project (main project, not fork) deletion be
> > > restricted to a specific group of people in GitLab? (ie: project
> > > owner/maintainer must not be allowed to delete a main project, they
> > > can delete their own fork of course)
> > >     - Answer: There is an issue
> > > https://gitlab.com/gitlab-org/gitlab/-/issues/233379 that could help
> > > with this by requiring an additional person approve the deletion &
> > > there’s a related issue
> > > https://gitlab.com/gitlab-org/gitlab/-/issues/227468 to create a list
> > > of authorized approvers for these types of changes (not MRs) that
> > > sounds aligned with this ask
> >
> > So we would need an admin person to delete a main project, that sounds fine.
> > What about forks though? Would we be able to let user delete their own fork
> > without supervision?
> >
> 
> Forks are not special in GitLab like they are in Pagure, so rules
> applied to main projects will apply to forks.

I'm starting to think that disabling project deletion to everyone but admins
and have another proxy service that let people request their fork to be deleted
may also be the way forward here.



Pierre
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux