fedora-infra / bodhi

Bodhi is a web-system that facilitates the process of publishing updates for a Fedora-based software distribution.
https://bodhi.fedoraproject.org
GNU General Public License v2.0
153 stars 195 forks source link

policy violation (tag) #522

Closed ralphbean closed 6 years ago

ralphbean commented 9 years ago

Sometimes, bodhi will throw this back at you if you try to edit an update that has certain packages in it.

I tracked it down today to our production koji policy here: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n79

tag = 
    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
    all :: allow

the bodhi user has the admin perm, but not the secure-boot perm, so it is unable to fiddle with tags on those packages.

I proposed to @ausil that we add an extra line at the top to let bodhi operate on these packages, like this:

tag = 
    has_perm admin && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
    all :: allow

Here's the log from IRC:

threebean │ dgilmore: ah, I see why it failed originally.                                                                                  
 dgilmore │ why?                                                                                                                           
threebean │ dgilmore: our koji tag policy in prod requires that you be in a special group for the fedora-release package (anda  few others)
threebean │ the secure-boot group                                                                                                          
 dgilmore │ threebean: I am in that group in koji                                                                                          
 dgilmore │ threebean: bodhi is not and should not be in it                                                                                
 dgilmore │ threebean: but it does not effect tagging                                                                                      
 dgilmore │ it effects building                                                                                                            
threebean │ I dunno man.. it's in the [tag] section in /etc/koji-hub/hub.conf                                                              
threebean │ dgilmore: line 79 here                                                                                                         
threebean │ https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n79                        
 dgilmore │ hrrm                                                                                                                           
 dgilmore │ threebean: sure                                                                                                                
threebean │ we could add an extra 'allow' at the top to let 'admin' do those things as well                                                
threebean │ just before the 'deny'                                                                                                         
 dgilmore │ the policy really does not do what we want                                                                                     
 dgilmore │ and we have a bodged up thing to try enfoce things                                                                             
 dgilmore │ threebean: its okay for now                                                                                                    
 dgilmore │ I will think about how best to do it                                                                                           
threebean │ so, we don't want to let 'admin' move those tags?                                                                              
 dgilmore │ admin can do anything                                                                                                                                  
threebean │ ...except when its explicitly denied in the policy there ;p
threebean │ it seems pretty simple - we could just add another allow line at the top of that policy entry.
 dgilmore │ but you have to use --force I guess if you do not have explicit perms                                                          
 dgilmore │ well realistically we actually want to stop people doing real builds of those things                                           
 dgilmore │ we may want to change koji to enable us to change what we can do                                                               

We got cut off in conversation because dennis had to catch a flight. It seems like he was suggesting that we either 1) patch bodhi to pass --force to work around the incorrect koji config or 2) patch koji to do something else. It seems to me like adjusting our prod koji policy config in ansible would be the easiest.

ralphbean commented 9 years ago

Further update from IRC:

dgilmore │ we should not use --force                                                                                      
dgilmore │ but we should look at making changes to koji first to enable better enforcement of what we want                
dgilmore │ but short term we could add bodhi to secure-boot or update the policy to directly allow admin to tag everything
dgilmore │ I just want a concrete plan and ideally making sure that only the proper people can submit builds              
bowlofeggs commented 6 years ago

I've never seen this happen since I've been working on Bodhi, and hadn't noticed this ticket until today. I think it is probably safe to close. Do you agree @ralphbean?

ralphbean commented 6 years ago

Yeah, I guess it is a non-issue if I'm the one who ran into it. I don't own any of those super crazy secure-boot packages. :) The owners there must have some workflow that doesn't bump them into this issue (or something..). Closing!