Opened 3 years ago

Last modified 3 years ago

#11533 new enhancement

show permissions for specific repos only

Reported by: patrick Owned by: ejucovy
Priority: normal Component: GitolitePlugin
Severity: normal Keywords:
Cc: Trac Release: 1.0



I have a trac setup which consists of multiple trac environments. The goal for me as TRAC_ADMIN is basically to turn each environment over to a project_manager (which is something I defined as being a little less than TRAC_ADMIN) and then they can take care of their own users and permissions etc.

So I have integrated trac-gitolite, and I have one gitolite-admin repo that is serving the multiple trac environments. Out of the box, the project_manager for project A could see and manage the repository permissions for a repo in project B which may have a different project_manager. So this isn't ideal.

Basically I added a trac_gitolite option called show_repos. This is just a list of the repos whose permissions can be managed through the web interface. It can be set on a per environment basis in trac.ini

I have attached the diffs needed to do this.

Is this useful, or did I miss the boat entirely and there was a much easier way to do this?



Attachments (4)

perm_manager.diff (386 bytes) - added by patrick 3 years ago.
perm_policy.diff (372 bytes) - added by patrick 3 years ago.
repo_manager.diff (368 bytes) - added by patrick 3 years ago.
utils.diff (158 bytes) - added by patrick 3 years ago.

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by patrick

Attachment: perm_manager.diff added

Changed 3 years ago by patrick

Attachment: perm_policy.diff added

Changed 3 years ago by patrick

Attachment: repo_manager.diff added

Changed 3 years ago by patrick

Attachment: utils.diff added

comment:1 Changed 3 years ago by Ryan J Ollos

I'm not familiar with the plugin, but it sounds like you may want to implement TracFineGrainedPermissions checks, and maybe check for VERSIONCONTROL_ADMIN permission rather than TRAC_ADMIN permission.

Also, usually it's preferable to submit patches in unified diff form, as described at trac:TracDev/SubmittingPatches.

comment:2 Changed 3 years ago by ejucovy

Thanks for the patch, patrick!

At first glance patrick's approach makes more sense to me than fine-grained permission checks. It sounds like the goal here is to define which Gitolite repositories are known per Trac environment, not per user. This is necessary because Gitolite manages all repositories' configuration in a single place on the trac/git server (the gitolite.conf file) so the Trac environment is reading configuration for all repositories, whether or not it wants to.

rjollos, would you mind outlining what this would look like using fine-grained permissions? (The environment configuration, not the diff to the plugin's code.) I've never managed to understand TracFineGrainedPermissions well enough to actually implement them in an environment. I guess you would need to remove VERSIONCONTROL_ADMIN from the entire realm, and then re-grant it to the project_manager(s) for individual repositories?

comment:3 Changed 3 years ago by ejucovy

Actually, would you mind describing your use case a bit more?

Will each Trac environment's project_manager be administering their own Trac users and permissions, or will those be shared across environments?

Do project_managers have access to create new Gitolite repositories, or just to manage permissions of (some) existing repositories?

Will project_managers be creating new Gitolite users? (i.e. by uploading SSH public keys through Trac via GitolitePlugin's /admin/versioncontrol/permissions/ panel)

How often will project_managers be managing the Gitolite users and permissions?

Depending on your setup and usage patterns, some additional GitolitePlugin enhancements might be needed, including:

  • more distinct permissions -- right now there's just REPOSITORY_CREATE (create new gitolite repos) and VERSIONCONTROL_ADMIN
  • filtering out some users from the Gitolite Users panel and Gitolite Permissions panel
  • mapping gitolite users to trac users explicitly instead of implicitly
  • supporting the use of multiple files and subdirectories to manage gitolite ssh keys and repository permissions

comment:4 in reply to:  2 Changed 3 years ago by Ryan J Ollos

Replying to ejucovy:

rjollos, would you mind outlining what this would look like using fine-grained permissions?

I've had an interest in this plugin anyway, so I'll take a look at the code this week and let you know.

Modify Ticket

Change Properties
Set your email in Preferences
as new The owner will remain ejucovy.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.