Learn more about these different git repos.
Other Git URLs
Currently if you try and make a bodhi buildroot override with any of the packages in the 'secure-boot' koji permission it fails with a:
"Override : Unable to save buildroot override: policy violation (tag)"
This is because the bodhi user doesn't have 'secure-boot' perms in koji and the hub permissions require that to tag a package in that list.
Options to fix:
Grant bodhi the 'secure-boot' permission. This should fix this issue, but is it granting it too many perms?
Adjust the koji hub permissions so that bodhi is allowed to add secure-boot packages only to *override tags.
Some other solution.
Note that bodhi does have the 'admin' permission in koji currently, so it could also just --force the tag, but it's desired to actually remove this permission from bodhi so I didn't list that as a solution.
Metadata Update from @kevin: - Issue set to the milestone: Fedora 25 Alpha - Issue tagged with: meeting
we will make a chaneg to the hug policy https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n112 to allow bodhi to tag the packages into overrides tags
Metadata Update from @ausil: - Issue untagged with: meeting - Issue close_status updated to: None
bit late but https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/BIWA4VQLDF3AZIHSKVLFUQM34N64ZORO/ sent in a patch for review
Metadata Update from @ausil: - Issue assigned to ausil
@mohanboddu will confirm that this is fixed with @bowlofeggs
Metadata Update from @syeghiay: - Issue assigned to mohanboddu (was: ausil)
[10:35] ( Kellin) bowlofeggs: did mboddu get with you RE: https://pagure.io/releng/issue/6482 [10:38] ( bowlofeggs) Kellin: he did not, but i also have no way to know if that is fixed or not [10:38] ( bowlofeggs) Kellin: i don't have ACLs on any secure boot packages [10:41] ( Kellin) bowlofeggs: is this something we could test in staging environment? [10:42] ( bowlofeggs) Kellin: the staging environment does do BROs too, so yes in theory, but again i don't have ACLs
09:47 ( Kellin) so I have a question about something from yesterday 09:48 ( Kellin) bowlofeggs: who would give you the ACLs for secure boot packages? 10:26 ( bowlofeggs) Kellin: an admin of a secure boot package can presumably give ACLs to others 10:26 ( bowlofeggs) Kellin: or if you manage to add a new package to fedora that is a secure boot package for whatever reason, you become the admin 10:36 ( Kellin) bowlofeggs: so somehow I don't know that you personally want that, but maybe some kind of bodhi admin-ish account that can do it? 10:37 ( bowlofeggs) Kellin: i'm not sure what you mean - but yeah, i'm not trying to be a secure boot package maintainer 10:38 ( bowlofeggs) Kellin: i also don't know what you mean by "can do it" 11:22 ( nb) bowlofeggs, i believe releng has to give you secureboot perm in koji 11:23 ( bowlofeggs) Kellin: ^ 11:30 * Kellin blinks. OK, I will talk to mboddu and see if he knows that too hehe :) 11:30 ( Kellin) thanks nb
@mohanboddu says we can test giving ACLs in stage. He will update this ticket after testing.
@mohanboddu reports that this is working:
Wed Sep 28 16:15:55 2016 permission secure-boot granted to bodhi by kevin [still active]
See https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n87
Closing ticket. Please reopen if issue still exists.
Metadata Update from @syeghiay: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.