[Patch] Add a policy spec so that only package owners can tag builds

Jitesh Shah jiteshs at marvell.com
Wed Oct 28 13:08:25 UTC 2009 

We recently had a requirement that builds of a particular package should
only be managed by package owners (owner derived from the [package,tag]
pair) (Just to clear any possible confusion, I do NOT mean the build
owner, but the package owner)

Initially, I had assumed that only package owners can schedule builds of
their package, but a quick look at the code yielded nothing to prove the
assumption. So, I created a random user and verified that he can build
and tag packages. 

Then, I looked at whether I can write a policy to this effect. But, none
of the tests that were already there seemed to provide the
functionality. So, I hacked up a patch to add a test. 

With this patch in place, I can add a like "is_package_owner :: allow"
to allow only package owners to build. the policy spec in
my /etc/koji-hub/hub.conf looks like this now:
tag = 
	has_perm admin :: allow
	is_package_owner :: allow
	all :: deny

Do let me know whether it is sane and makes sense. 
(The patch is NOT taken against the git HEAD, but it should apply easily
with some fuzz)

Jitesh

>From f10b458131c5a1aa75f97e2cb458051630918f04 Mon Sep 17 00:00:00 2001
From: Jitesh Shah <jiteshs at marvell.com>
Date: Wed, 28 Oct 2009 17:20:01 +0530
Subject: [PATCH] Add own policy spec

Signed-off-by: Jitesh Shah <jiteshs at marvell.com>
---
 hub/kojihub.py |   20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/hub/kojihub.py b/hub/kojihub.py
index a281b5e..ef1c364 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -4443,6 +4443,26 @@ class IsBuildOwnerTest(koji.policy.BaseSimpleTest):
         #otherwise...
         return False
 
+class IsPackageOwnerTest(koji.policy.BaseSimpleTest):
+    """Check if user owns the build"""
+    name = "is_package_owner"
+    def run(self, data):
+        build = get_build(data['build'])
+        pkg_id = get_package_id(koji.parse_NVR(build['nvr'])['name'], strict=True)
+        tag = get_tag(data['tag'])
+        pkgs = readPackageList(tagID=tag['id'], pkgID=pkg_id, inherit=True)
+        owner_id = pkgs.get(pkg_id,None)['owner_id']
+        owner = get_user(owner_id)
+        user = get_user(data['user_id'])
+        if owner_id == user['id']:
+            return True
+        if owner['usertype'] == koji.USERTYPES['GROUP']:
+            # owner is a group, check to see if user is a member
+            if owner['id'] in koji.auth.get_user_groups(user['id']):
+                return True
+        #otherwise...
+        return False
+
 class UserInGroupTest(koji.policy.BaseSimpleTest):
     """Check if user is in group(s)
 
-- 
1.6.0.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-own-policy-spec.patch
Type: text/x-patch
Size: 1534 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-buildsys-list/attachments/20091028/f33b8249/attachment.bin>

More information about the Fedora-buildsys-list mailing list