Google Git
Sign in
gerrit/gerrit/62c156857e924887cc94fe20af81976ee118d64d^!/./Documentation
commit
62c156857e924887cc94fe20af81976ee118d64d
[log]
author
Edwin Kempin <ekempin@google.com>
Mon Sep 05 14:32:38 2016 +0200
committer
David Pursehouse <dpursehouse@collab.net>
Thu Sep 08 13:50:04 2016 +0900
tree
67878ed3352cd8b346ebe77d6c1f08f368a72368
parent
5554c61ca90dce1bb77a4cf5d33bcfcc33203528 [diff]
Rename 'Push Annotated/Signed Tag' permission to 'Create Annotated/Signed Tag'

Each tag type requires a special permission for the tag creation:
- Lightweight tags require 'Create Reference'
- Annontated tags require 'Push Annotated Tag'
- Signed tags require 'Push Signed Tag'

This naming is inconsistent and may be confusing. E.g. whether tags
can be updated is controlled by the 'Push' permission on 'refs/tags/*'
and not by the 'Push Annotated/Signed Tag' permission, as some users
might expect.

This change includes a schema migration that renames the permissions
for creating annotated/signed tags.

Permission rules in project.config that use the old names are still
respected. They are automatically converted when the project config is
saved the next time. This is needed so that multi-master sites can do
a multi-step-migration:

1. First upgrade all hosts to the new binary:
   Projects may still contain permissions with the old names,
   new permissions are saved with the new names.
2. Run a background job on all hosts that migrates the permissions for
   all projects to the new names:
   Projects do not contain permissions with the old names,
   new permissions are saved with the new names.
3. Upgrade all hosts to a binary that doesn't respect the old names
   anymore.

The migration for schema 130 is rewritten because ProjectConfig no
longer allows to change the force flag for 'pushTag' without
converting it to 'createTag'.

Change-Id: I839be24f82a908b5184f15e746f3588a0d397b7e
Signed-off-by: Edwin Kempin <ekempin@google.com>

diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index bb92222..d48034a 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt

@@ -660,7 +660,8 @@
 
 
 [[category_push_annotated]]
-=== Push Annotated Tag
+[[category_create_annotated]]
+=== Create Annotated Tag
 
 This category permits users to push an annotated tag object into the
 project's repository.  Typically this would be done with a command line
@@ -687,7 +688,7 @@
 
 To push tags created by users other than the current user (such
 as tags mirrored from an upstream project), `Forge Committer Identity`
-must be also granted in addition to `Push Annotated Tag`.
+must be also granted in addition to `Create Annotated Tag`.
 
 To push lightweight (non annotated) tags, grant
 <<category_create,`Create Reference`>> for reference name
@@ -706,7 +707,8 @@
 
 
 [[category_push_signed]]
-=== Push Signed Tag
+[[category_create_signed]]
+=== Create Signed Tag
 
 This category permits users to push a PGP signed tag object into the
 project's repository.  Typically this would be done with a command
@@ -1019,7 +1021,7 @@
 * <<category_push_merge,`Push merge commit`>> to 'refs/heads/*'
 * <<category_forge_committer,`Forge Committer Identity`>> to 'refs/for/refs/heads/*'
 * <<category_create,`Create Reference`>> to 'refs/heads/*'
-* <<category_push_annotated,`Push Annotated Tag`>> to 'refs/tags/*'
+* <<category_create_annotated,`Create Annotated Tag`>> to 'refs/tags/*'
 
 
 [[examples_project-owner]]

diff --git a/Documentation/error-prohibited-by-gerrit.txt b/Documentation/error-prohibited-by-gerrit.txt
index 3d9bbad..3e5f23b 100644
--- a/Documentation/error-prohibited-by-gerrit.txt
+++ b/Documentation/error-prohibited-by-gerrit.txt

@@ -17,10 +17,10 @@
    link:access-control.html#category_create['Create Reference'] access
    right on `+refs/heads/*+`
 4. if you push an annotated tag without
-   link:access-control.html#category_push_annotated['Push Annotated Tag']
+   link:access-control.html#category_create_annotated['Create Annotated Tag']
    access right on `+refs/tags/*+`
 5. if you push a signed tag without
-   link:access-control.html#category_push_signed['Push Signed Tag']
+   link:access-control.html#category_create_signed['Create Signed Tag']
    access right on `+refs/tags/*+`
 6. if you push a lightweight tag without the access right link:access-control.html#category_create['Create
    Reference'] for the reference name `+refs/tags/*+`

diff --git a/Documentation/rest-api-access.txt b/Documentation/rest-api-access.txt
index ee3e8ce..4531446 100644
--- a/Documentation/rest-api-access.txt
+++ b/Documentation/rest-api-access.txt

@@ -132,7 +132,7 @@
         },
         "refs/tags/*": {
           "permissions": {
-            "pushSignedTag": {
+            "createSignedTag": {
               "rules": {
                 "53a4f647a89ea57992571187d8025f830625192a": {
                   "action": "ALLOW"
@@ -142,7 +142,7 @@
                 }
               }
             },
-            "pushTag": {
+            "createTag": {
               "rules": {
                 "53a4f647a89ea57992571187d8025f830625192a": {
                   "action": "ALLOW"

diff --git a/Documentation/user-upload.txt b/Documentation/user-upload.txt
index dc79018..7942059 100644
--- a/Documentation/user-upload.txt
+++ b/Documentation/user-upload.txt

@@ -403,11 +403,11 @@
 link:access-control.html#category_push_direct['Push'] with the
 'Force' option ticked.
 
-To push annotated tags, the `Push Annotated Tag` project right must
+To push annotated tags, the `Create Annotated Tag` project right must
 be granted to one (or more) of the user's groups.  There is only
 one level of access in this category.
 
-Project owners may wish to grant themselves `Push Annotated Tag`
+Project owners may wish to grant themselves `Create Annotated Tag`
 only at times when a new release is being prepared, and otherwise
 grant nothing at all.  This ensures that accidental pushes don't
 make undesired changes to the public repository.