Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 654662 - Please let recruiters to add new developers to gitolite
Summary: Please let recruiters to add new developers to gitolite
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Git (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-02 19:52 UTC by Mikle Kolyada (RETIRED)
Modified: 2018-06-25 16:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-02 19:52:00 UTC 
Hi!

The discussion was raised three years ago straight after git migration.
You (infra) promised us to take measures to let recruiters add new developers to the gitolite. Can it finally be implemented so we have full control over the proccess?

Thanks in advance!
Comment 1 Alec Warner (RETIRED) archtester gentoo-dev Security 2018-05-02 19:56:34 UTC 
(In reply to Mikle Kolyada from comment #0)
> Hi!
> 
> The discussion was raised three years ago straight after git migration.
> You (infra) promised us to take measures to let recruiters add new
> developers to the gitolite. Can it finally be implemented so we have full
> control over the proccess?
> 
> Thanks in advance!

I think mgorny has a script, so its mostly just:

1) Generating an identity for git-o-lite that has permissions to update configs.
2) Running the script as that identity via cron every $interval.

Then people just add themselves to LDAP and we are done for anything where permissions are sourced from fields in LDAP.

-A
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-05-02 21:07:37 UTC 
I personally don't see a problem with that.  The Overlays team members had to have extended permissions (not sure how far extended though), so I don't see why Recruiters wouldn't have them too.

Alternatively, if we want to pursue the wider split of responsibilities and having two pair of eyes on every action, then I guess Infra should do all the work on request from recruiters.  However, I personally don't think that it is necessary or really helpful to increase Infra workload there.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-03 11:11:46 UTC 
(In reply to Michał Górny from comment #2)
> I personally don't see a problem with that.  The Overlays team members had
> to have extended permissions (not sure how far extended though), so I don't
> see why Recruiters wouldn't have them too.
> 
> Alternatively, if we want to pursue the wider split of responsibilities and
> having two pair of eyes on every action, then I guess Infra should do all
> the work on request from recruiters.  However, I personally don't think that
> it is necessary or really helpful to increase Infra workload there.

Well, I thonk if recruiters get the access, we will not infra with this work anymore (like it was with CVS).
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-06-24 22:50:31 UTC 
Ping, lets just add every single recruiter to the @overlays-admin group, not to create the permissions mess
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-06-25 13:42:30 UTC 
ok, yet another look showed that recruiters will need different acl than overlays admins have
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-06-25 16:14:55 UTC 
Should be all done now.