Add a policy spec so that only package owners can tag builds
We recently had a requirement that builds of a particular package should
only be managed by package owners (owner derived from the [package,tag]
pair) (Just to clear any possible confusion, I do NOT mean the build
owner, but the package owner)
Initially, I had assumed that only package owners can schedule builds of
their package, but a quick look at the code yielded nothing to prove the
assumption. So, I created a random user and verified that he can build
and tag packages.
Then, I looked at whether I can write a policy to this effect. But, none
of the tests that were already there seemed to provide the
functionality. So, I hacked up a patch to add a test.
With this patch in place, I can add a like "is_package_owner :: allow"
to allow only package owners to build. the policy spec in
my /etc/koji-hub/hub.conf looks like this now:
has_perm admin :: allow
is_package_owner :: allow
all :: deny
Do let me know whether it is sane and makes sense.
(The patch is NOT taken against the git HEAD, but it should apply easily
with some fuzz)
>From f10b458131c5a1aa75f97e2cb458051630918f04 Mon Sep 17 00:00:00 2001
From: Jitesh Shah <firstname.lastname@example.org>
Date: Wed, 28 Oct 2009 17:20:01 +0530
Subject: [PATCH] Add own policy spec
diff --git a/hub/kojihub.py b/hub/kojihub.py
index a281b5e..ef1c364 100644
@@ -4443,6 +4443,26 @@ class IsBuildOwnerTest(koji.policy.BaseSimpleTest):
+ """Check if user owns the build"""
+ name = "is_package_owner"
+ def run(self, data):
+ build = get_build(data['build'])
+ pkg_id = get_package_id(koji.parse_NVR(build['nvr'])['name'], strict=True)
+ tag = get_tag(data['tag'])
+ pkgs = readPackageList(tagID=tag['id'], pkgID=pkg_id, inherit=True)
+ owner_id = pkgs.get(pkg_id,None)['owner_id']
+ owner = get_user(owner_id)
+ user = get_user(data['user_id'])
+ if owner_id == user['id']:
+ return True
+ if owner['usertype'] == koji.USERTYPES['GROUP']:
+ # owner is a group, check to see if user is a member
+ if owner['id'] in koji.auth.get_user_groups(user['id']):
+ return True
+ return False
"""Check if user is in group(s)
Fedora-buildsys-list mailing list