Launchpad itself

Merge ~twom/launchpad:db-oci-policy-distribute-the-credentials into launchpad:db-devel

  1. Git
  2. lp:~twom/launchpad
  3. db-oci-policy-distribute-the-credentials
  4. Merge into db-devel
Proposed by Tom Wardill
Status: Merged
Approved by: Tom Wardill
Approved revision: 102a18997ac664f54f706af194ff57f39a9409d3
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~twom/launchpad:db-oci-policy-distribute-the-credentials
Merge into: launchpad:db-devel
Diff against target: 17 lines (+11/-0)
1 file modified
database/schema/patch-2210-24-0.sql (+11/-0)
Reviewer Review Type Date Requested Status
William Grant db Approve
Ioana Lasc (community) Approve
Review via email: mp+395770@code.staging.launchpad.net

Commit message

Add OCI Credentials field to Distribution

To post a comment you must log in.
Revision history for this message
Ioana Lasc (ilasc) wrote :

LGTM

review: Approve
Revision history for this message
William Grant (wgrant) wrote :

Is there a spec for this? What does "in this distribution" mean, given that normal users can create recipes under a distribution's OCI projects?

review: Needs Information (db)
Revision history for this message
Tom Wardill (twom) wrote :

> Is there a spec for this? What does "in this distribution" mean, given that
> normal users can create recipes under a distribution's OCI projects?

This is the latest iteration of: https://docs.google.com/document/d/16iPKUri4hn3ezMm4Q5j27EwdZEqYnD3LJgsqJiqvhWo/edit

Creating OCI Projects within an Distribution is limited to the OCI Project Admins (or can be, via feature flag), so it's not open to everyone.

Revision history for this message
Tom Wardill (twom) wrote :

> > Is there a spec for this? What does "in this distribution" mean, given that
> > normal users can create recipes under a distribution's OCI projects?
>
> This is the latest iteration of: https://docs.google.com/document/d/16iPKUri4h
> n3ezMm4Q5j27EwdZEqYnD3LJgsqJiqvhWo/edit
>
> Creating OCI Projects within an Distribution is limited to the OCI Project
> Admins (or can be, via feature flag), so it's not open to everyone.

Replacing https://code.launchpad.net/~twom/launchpad/+git/launchpad/+merge/394958 in line with the direction of the spec.

Revision history for this message
William Grant (wgrant) wrote :

AIUI anyone can create an OCIRecipe inside an OCIProject, so isn't setting credentials on a whole OCIProject dangerous?

review: Needs Information (db)
Revision history for this message
Tom Wardill (twom) wrote :

Using the distribution credentials is limited to 'official' recipes (in https://code.launchpad.net/~twom/launchpad/+git/launchpad/+merge/395984).
Setting an official recipe requires `userIsRecipeAdmin`, which results in `pillar.canAdministrateOCIProjects`.

So a normal user can create a recipe, but that will be a 'build only' recipe and will not result in it being pushed to a registry.
Only a recipe being set to official will result in a push.

Revision history for this message
William Grant (wgrant) :
review: Approve (db)

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches

to status/vote changes: