Don't create new groups for system ones
A Gerrit bug[1] allowed manage_projects to create a Gerrit
internal group with the same name as a system group
('Registered Users'). This happened after upgrading to
Gerrit 2.11 because there are existing projects with 'Registered
Users' in acls config files. Even though Gerrit shouldn't allow
creation of a group with the same name as a system group,
manage_projects shouldn't even attempt to do it.
This change prevents manage_projecsts from creating
groups with the same name as Gerrit system groups. It
will also add correct entries to group files for system groups.
Below is the group file entries that Gerrit expects for
system groups:
global:Anonymous-Users Anonymous Users
global:Change-Owner Change Owner
global:Project-Owners Project Owners
global:Registered-Users Registered Users
For backward compatibility, the existing group UUID will be returned
if one is found in the database.
[1] https://code.google.com/p/gerrit/issues/detail?id=3831
Change-Id: I17d6e1a5553f98ff910480d41a2ac7b3a2522809
diff --git a/jeepyb/cmd/manage_projects.py b/jeepyb/cmd/manage_projects.py
index f125975..0f9a240 100644
--- a/jeepyb/cmd/manage_projects.py
+++ b/jeepyb/cmd/manage_projects.py
@@ -71,6 +71,16 @@
log = logging.getLogger("manage_projects")
+# Gerrit system groups as defined:
+# https://review.openstack.org/Documentation/access-control.html#system_groups
+# Need to set Gerrit system group's uuid to the format it expects.
+GERRIT_SYSTEM_GROUPS = {
+ 'Anonymous Users': 'global:Anonymous-Users',
+ 'Project Owners': 'global:Project-Owners',
+ 'Registered Users': 'global:Registered-Users',
+ 'Change Owner': 'global:Change-Owner',
+}
+
class FetchConfigException(Exception):
pass
@@ -202,7 +212,16 @@
def _get_group_uuid(group):
- """Wait for up to 10 seconds for the group to be created in the DB."""
+ """
+ Gerrit keeps internal user groups in the DB while it keeps systems
+ groups in All-Projects groups file (in refs/meta/config). This
+ will only get the UUIDs for internal user groups.
+
+ Note: 'Administrators', 'Non-Interactive Users' and all other custom
+ groups in Gerrit are defined as internal user groups.
+
+ Wait for up to 10 seconds for the group to be created in the DB.
+ """
query = "SELECT group_uuid FROM account_groups WHERE name = %s"
con = jeepyb.gerritdb.connect()
for x in range(10):
@@ -221,6 +240,8 @@
uuid = _get_group_uuid(group)
if uuid:
return uuid
+ if group in GERRIT_SYSTEM_GROUPS:
+ return GERRIT_SYSTEM_GROUPS[group]
gerrit.createGroup(group)
uuid = _get_group_uuid(group)
if uuid:
@@ -549,9 +570,10 @@
GERRIT_KEY = registry.get_defaults('gerrit-key')
GERRIT_GITID = registry.get_defaults('gerrit-committer')
GERRIT_REPLICATE = registry.get_defaults('gerrit-replicate', True)
- GERRIT_SYSTEM_USER = registry.get_defaults('gerrit-system-user', 'gerrit2')
- GERRIT_SYSTEM_GROUP = registry.get_defaults('gerrit-system-group',
- 'gerrit2')
+ GERRIT_OS_SYSTEM_USER = registry.get_defaults('gerrit-system-user',
+ 'gerrit2')
+ GERRIT_OS_SYSTEM_GROUP = registry.get_defaults('gerrit-system-group',
+ 'gerrit2')
DEFAULT_HOMEPAGE = registry.get_defaults('homepage')
DEFAULT_HAS_ISSUES = registry.get_defaults('has-issues', False)
DEFAULT_HAS_DOWNLOADS = registry.get_defaults('has-downloads', False)
@@ -610,7 +632,7 @@
# Create the repo for the local git mirror
create_local_mirror(
LOCAL_GIT_DIR, project_git,
- GERRIT_SYSTEM_USER, GERRIT_SYSTEM_GROUP)
+ GERRIT_OS_SYSTEM_USER, GERRIT_OS_SYSTEM_GROUP)
if not os.path.exists(repo_path) or project_created:
# We don't have a local copy already, get one