Check API - permissions/authorisation

Andrew Donnellan andrew.donnellan at au1.ibm.com
Thu Jun 15 14:37:51 AEST 2017


On 07/06/17 02:28, Stephen Finucane wrote:
> On Tue, 2017-06-06 at 21:10 +1000, Daniel Axtens wrote:
>> Hi,
>>
>> One thing that has come up in discussions around CI and Patchwork is
>> permissions for the checks API.
>>
>> What permissions are required for a user to create a check?
>> I can't find anything in the docs to tell me for sure.
>>
>> I know that admin permissions are sufficient, and I have been
>> unreliably informed that maintainership is sufficient.
>
> At the moment, we rely on the 'Patch.is_editable' property to determine
> this. That property allows edits to patches if the user is
> authenticated and is either (a) the submitter of the patch, (b) the
> delegate of the patch, (c) a project maintainer, or (d) a superuser.
>
>> What actually is required? We probably want to make this reasonably
>> granular so that, for example, the 0-day bot can be given the ability
>> to create checks without needing people to trust them with any other
>> rights.
>
> We could probably loosen the above conditions: checks are associated
> with a user and, since we merged '6c0bbe1' and '3fc11fea', it is
> possible to distinguish which checks a user belongs to. Personally, I
> would like to use Django Admin's groups or permissions to tag users
> with CI permissions but this is a good chunk of work and smells of
> YAGNI. Something even simpler, like letting any registered user create
> a check, could do the job?

I'm a little bit uncomfortable with allowing anyone to create checks - 
the kernel in particular is a large enough project to have contributors 
who might be well-meaning but will go around contributing unhelpfully 
and just irritating maintainers. Some of those "contributors" may 
discover that they can now post checks which label minor static analysis 
warnings as failures...

Maybe that's a problem to solve when we start seeing it, but on the 
other hand we can expect to be stuck with people running 2.0 for a 
considerable length of time.

Russell was talking to mpe today to get the perspective of someone who 
maintains a fairly important patchwork project, he wasn't overly 
concerned if we required the user to be a maintainer for the time being, 
it's a bit annoying to have to ask the patchwork admin to add a new 
maintainer though.


-- 
Andrew Donnellan              OzLabs, ADL Canberra
andrew.donnellan at au1.ibm.com  IBM Australia Limited



More information about the Patchwork mailing list