IIRC in the past setup there was a releng/fas group that was always allowed to push to branches even when they were retired. It might be cvsadmin. In the current setup it appears to me that I cannot push to retired branches/inactive branches according to pdc anymore. I am not sure if it is intended but I wanted to record this at some place to make sure that is an intended design.
According to https://docs.pagure.org/releng/sop_adding_new_release_engineer.html#adding-a-new-release-engineer it was cvsadmin in deed, it seems to be releng-team now. Not sure if this change is intended, so I keep this open for now.
Acccording to @ausil it is meant to be a tracking group, however I also noticed that it seems to grant administrative permissions in Bodhi according to ansible:
$ ag releng-team roles/fas_client/files/aliases.template 343:releng-team: ausil,mohanboddu,parasense roles/bodhi2/base/templates/production.ini.j2 438:important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig qa-tools-sig nodejs-sig lxqt-sig astro-sig 441:admin_packager_groups = provenpackager releng-team security_respons roles/bodhi2/base/templates/staging.ini.j2 400:important_groups = proventesters provenpackager releng-team security_respons packager bodhiadmin virtmaint-sig kde-sig eclipse-sig infra-sig gnome-sig python-sig robotics-sig 403:admin_packager_groups = provenpackager releng-team security_respons
https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/distgit/pagure/templates/pagure.cfg#n31
According to ansible/pagure.cfg, sysadmin-main is the admin group for distgit pagure, shouldn't this be cvsadmin as well?
Here is another evidence that the admin group for distgit used to be cvsadmin: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/distgit/templates/genacls.pkgdb#n24
Where is the admin group for pagure-distgit defined on the git level?
/srv/git/.gitolite/conf/gitolite.conf contains in the beginning @admins = acarter ausil katec kellin kevin limb maxamillion mohanboddu parasense pbrobinson puiterwijk ralph rlaliber which seems to be the list of releng-team members. How is this line created? I do not find this in ansible.
@admins = acarter ausil katec kellin kevin limb maxamillion mohanboddu parasense pbrobinson puiterwijk ralph rlaliber
@ralph @pingou could you maybe explain the situation? What needs to be done to sort this out?
shouldn't this be cvsadmin as well?
This would require a FBR, want to propose it?
There is a fedmsg consumer that generates the list of groups and their members into a file, file that is then incorporated into the gitolite.conf file when pagure updates it.
shouldn't this be cvsadmin as well? This would require a FBR, want to propose it?
Yes, I would like to. Will this also fix https://pagure.io/releng/issue/7061 ?
Where is the admin group for pagure-distgit defined on the git level? There is a fedmsg consumer that generates the list of groups and their members into a file, file that is then incorporated into the gitolite.conf file when pagure updates it.
Where is the FAS group configured that is used to populate the gitolite @admin group? From the list of members it seems to be releng-team but I do not find releng-team in ansible in any configuration related to dist-git-pagure.
@admin
releng-team
The fedmsg consumer is: https://github.com/fedora-infra/fedmsg-genacls/ you can see the admin groups in the code, it's defined as the releng-team indeed.
The configuration for the pagure admin is now changed: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=2b18be91ed3854fef4b3a47ec9a49eb095dfedd8
fedmsg-genacls still needs to be adjusted, therefore I keep this open.
Should we still keep this open?
I think this is now the case, so I'm going to close this ticket as Fixed.
Feel free to re-open this one or open a new one if you disagree or find problems with it.
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.