Discussion:
Sandboxing per user
Claudio DeSouza
2018-12-03 12:31:53 UTC
Permalink
Hi,

I'm trying to set up a sandbox namespace for user, very similar to what is
suggested in the following
link: https://review.openstack.org/Documentation/access-control.html#_project_access_control_lists

Basically, I'm trying to provide users their own namespace under
"refs/heads/sandbox/${username}/*" where they can do whatever they want.

The problem I'm running into, is that I'm no able to put the username alias
on the entry lines for the sandbox. For instance, if I use admin as a user,
I get the following changes.

groups:

+user:admin user/Gerrit Admin (admin)


project.config:

[access "refs/heads/sandbox/${username}/*"]- exclusiveGroupPermissions = create push pushMerge read+ exclusiveGroupPermissions = create push read+ create = group user/Gerrit Admin (admin)+ push = group user/Gerrit Admin (admin)+ read = group user/Gerrit Admin (admin)


I was think of manually editing that to ${username}, but I'm afraid that
might not work due to no referencing being made on the groups file.

May I please have some clarification in how to constrain this namespace to
with ${username}.

Regards,

Claudio DeSouza
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Edwin Kempin' via Repo and Gerrit Discussion
2018-12-03 12:50:24 UTC
Permalink
Post by Claudio DeSouza
Hi,
I'm trying to set up a sandbox namespace for user, very similar to what is
https://review.openstack.org/Documentation/access-control.html#_project_access_control_lists
Basically, I'm trying to provide users their own namespace under
"refs/heads/sandbox/${username}/*" where they can do whatever they want.
The problem I'm running into, is that I'm no able to put the username
alias on the entry lines for the sandbox. For instance, if I use admin as a
user, I get the following changes.
+user:admin user/Gerrit Admin (admin)
[access "refs/heads/sandbox/${username}/*"]- exclusiveGroupPermissions = create push pushMerge read+ exclusiveGroupPermissions = create push read+ create = group user/Gerrit Admin (admin)+ push = group user/Gerrit Admin (admin)+ read = group user/Gerrit Admin (admin)
I was think of manually editing that to ${username}, but I'm afraid that
might not work due to no referencing being made on the groups file.
May I please have some clarification in how to constrain this namespace to
with ${username}.
The ref should contain "${username}", e.g.
"refs/heads/sandbox/${username}/*"

but permissions should be assigned to a normal group, e.g. to the
"Registered Users" group.
Post by Claudio DeSouza
Regards,
Claudio DeSouza
--
--
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups
"Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 13:33:01 UTC
Permalink
But that means any registered user is gonna be able to push/read code from
that workspace, no? I actually want those namespaces to be restricted to
each respective user. Am I missing something here.

Regards.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Edwin Kempin' via Repo and Gerrit Discussion
2018-12-03 13:34:15 UTC
Permalink
Post by Claudio DeSouza
But that means any registered user is gonna be able to push/read code from
that workspace, no? I actually want those namespaces to be restricted to
each respective user. Am I missing something here.
No, it should do what you intent to do.
Each group member should have the permission only for the own branch (the
branch where the username matches).
Post by Claudio DeSouza
Regards.
--
--
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups
"Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 13:44:51 UTC
Permalink
Thanks, let me try.
Post by 'Edwin Kempin' via Repo and Gerrit Discussion
Post by Claudio DeSouza
But that means any registered user is gonna be able to push/read code
from that workspace, no? I actually want those namespaces to be restricted
to each respective user. Am I missing something here.
No, it should do what you intent to do.
Each group member should have the permission only for the own branch (the
branch where the username matches).
Post by Claudio DeSouza
Regards.
--
--
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups
"Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 15:00:17 UTC
Permalink
I'm afraid this is not the case.

I have the following setting:

[access "refs/heads/sandbox/${username}/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users

This doesn't prevent user A to push code into user's B sandbox.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Edwin Kempin' via Repo and Gerrit Discussion
2018-12-03 15:02:47 UTC
Permalink
Post by Claudio DeSouza
I'm afraid this is not the case.
[access "refs/heads/sandbox/${username}/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users
This doesn't prevent user A to push code into user's B sandbox.
Do you have any other permissions?
E.g. permissions on refs/* or refs/heads/* that maybe grant this push (also
check on the parent projects).
Post by Claudio DeSouza
--
--
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups
"Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 15:19:28 UTC
Permalink
Hi Edwin,

This is on All-Projects. I do have permissions in the parent path that I
believe might be the cause of the issue, based on your question. Take a
look:

[access "refs/heads/sandbox/${username}/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users
[access "refs/heads/sandbox/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users
submit = group Registered Users
delete = group Registered Users

So, if I follow what you're saying, the path above is granting access to
the internal path. In that case, what should I do to prevent that
inheritance from happening?
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Edwin Kempin' via Repo and Gerrit Discussion
2018-12-03 15:21:37 UTC
Permalink
Post by Claudio DeSouza
Hi Edwin,
This is on All-Projects. I do have permissions in the parent path that I
believe might be the cause of the issue, based on your question. Take a
[access "refs/heads/sandbox/${username}/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users
This grants each user access to the own refs/heads/sandbox/${username}/*
branch.
Post by Claudio DeSouza
[access "refs/heads/sandbox/*"]
create = group Registered Users
push = +force group Registered Users
read = group Registered Users
submit = group Registered Users
delete = group Registered Users
This grants all users access to all refs/heads/sandbox/* branches,
including all refs/heads/sandbox/${username}/* branches.
Post by Claudio DeSouza
So, if I follow what you're saying, the path above is granting access to
the internal path. In that case, what should I do to prevent that
inheritance from happening?
--
--
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups
"Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 15:39:38 UTC
Permalink
Fair enough, thanks for the reply.
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Claudio DeSouza
2018-12-03 15:55:58 UTC
Permalink
Ok, I've done a few tests, and even moved it to
"refs/heads/private/${username}/*" but it is still not working, so let me
ask what I actually want.

I want "refs/heads/private/${username}/*" to be visible only to that user,
so even project owners should be barred to see/change these branches. How
do I enforce that, at that level?

Cheers,
--
--
To unsubscribe, email repo-discuss+***@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...