| commit | 70f38b18b88e3086b5f27eff7a0d2386f72f0d24 | [log] [tgz] |
|---|---|---|
| author | Edwin Kempin <ekempin@google.com> | Tue Nov 26 13:32:54 2019 +0100 |
| committer | Edwin Kempin <ekempin@google.com> | Tue Nov 26 13:50:31 2019 +0100 |
| tree | 2ad191966791c97f94e710475933fb2e436e7d8a | |
| parent | d7a0e7d52d176e47b961f625c9bb9aa5d2799f9b [diff] |
SetAccess: Fix granting the CREATE_GROUP capability to a second group
If one group had the global CREATE_GROUP capability assigned and a
caller attempted to grant the global CREATE_GROUP capability to another
group, using the SetAccess REST endpoint, the call failed with an
IllegalArgumentException [1].
A new group is created by creating a new group ref in the All-Users
repository. Whether creating a ref is possible is controlled by the
CREATE permission on the ref. Hence for group refs we check for a CREATE
permission on refs/groups/*. Since this is not obvious for most users we
also have a global CREATE_GROUP capability which can be assigned on the
All-Projects project. In fact users can only grant the global
CREATE_GROUP capability, but not the CREATE permission on refs/groups/*
in All-Users. The CREATE permission on refs/groups/* in All-Users is
automatically kept in sync with the global CREATE_GROUP capability and
cannot be changed manually. The code to do this syncing is
CreateGroupPermissionSyncer.
CreateGroupPermissionSyncer had a bug when it synced the global
CREATE_GROUP capability to group ref CREATE permissions, if a group ref
CREATE permission already existed:
1. The CREATE_GROUP capability is assigned to group A.
2. CreateGroupPermissionSyncer syncs the permissions and sets the group
ref CREATE permission for group A.
3. The CREATE_GROUP capability is assigned to group B.
4. CreateGroupPermissionSyncer tries to sync the permissions and set the
group ref CREATE permission for group A and group B, but fails since
the group ref CREATE permission already exists for group A.
Since the group ref CREATE permissions are exclusively managed by Gerrit
we always want to overwrite them, when the global CREATE_GROUP
capability changes. To fix step 4. remove the group ref CREATE
permission for group A before setting it for group A and B.
[1]
java.lang.IllegalArgumentException
at com.google.gerrit.common.data.AccessSection.addPermission(AccessSection.java:114)
at com.google.gerrit.server.CreateGroupPermissionSyncer.syncIfNeeded(CreateGroupPermissionSyncer.java:119)
at com.google.gerrit.server.restapi.project.SetAccess.apply(SetAccess.java:129)
at com.google.gerrit.server.restapi.project.SetAccess.apply(SetAccess.java:44)
at com.google.gerrit.httpd.restapi.RestApiServlet.lambda$invokeRestModifyViewWithRetry$4(RestApiServlet.java:740)
at com.github.rholder.retry.AttemptTimeLimiters$NoAttemptTimeLimit.call(AttemptTimeLimiters.java:78)
at com.github.rholder.retry.Retryer.call(Retryer.java:160)
at com.google.gerrit.server.update.RetryHelper.executeWithTimeoutCount(RetryHelper.java:417)
at com.google.gerrit.server.update.RetryHelper.executeWithAttemptAndTimeoutCount(RetryHelper.java:368)
at com.google.gerrit.server.update.RetryHelper.execute(RetryHelper.java:271)
at com.google.gerrit.httpd.restapi.RestApiServlet.invokeRestEndpointWithRetry(RestApiServlet.java:820)
at com.google.gerrit.httpd.restapi.RestApiServlet.invokeRestModifyViewWithRetry(RestApiServlet.java:735)
at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:511)
...
Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: Id064b7ce7599048ca2cd81c8ccd3dfd8704909ce
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recurse-submodules https://gerrit.googlesource.com/gerrit
cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update & apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 7 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-centos7[:version]
To run a Ubuntu 15.04 based Gerrit image:
docker run -p 8080:8080 gerritforge/gerrit-ubuntu15.04[:version]
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.