Merge lp:~jcsackett/launchpad/alphabetize-security-settings into lp:launchpad

Proposed by j.c.sackett
Status: Merged
Approved by: Robert Collins
Approved revision: no longer in the source branch.
Merged at revision: 12963
Proposed branch: lp:~jcsackett/launchpad/alphabetize-security-settings
Merge into: lp:launchpad
Diff against target: 2889 lines (+847/-897)
4 files modified
database/schema/security.cfg (+646/-796)
lib/lp/scripts/utilities/settingsauditor.py (+110/-0)
lib/lp/scripts/utilities/tests/test_audit_security_settings.py (+80/-12)
utilities/audit-security-settings.py (+11/-89)
To merge this branch: bzr merge lp:~jcsackett/launchpad/alphabetize-security-settings
Reviewer Review Type Date Requested Status
Robert Collins (community) Approve
Review via email: mp+58992@code.launchpad.net

Commit message

[r=lifeless][bug=773591] Updates the settings auditor to alphabetize settings, so bzr merges stop introducing duplication errors.

Description of the change

Summary
=======
We removed a bunch of duplicate permissions from security.cfg, but they were introduced (mostly) by bad merges, and that can happen again. To make it easier for bzr to merge sensibly and to make it easier for developers to figure out if a setting already exists, each config block in security.cfg should be alphabetized, as we do with imports (for much the same reason).

Since we already had an audit utility to find dupes, expanding that to alphabetize seems sensible.

Preimplementation
=================
Spoke with Curtis Hovey

Implementation
==============
database/schema/security.cfg
----------------------------
Alphabetized settings in each config block, and removed another duplicate introduced since dupes were removed last week. Added some comments in the header of the file to explain the permissions that are set to nothing. Comments within the blocks are lost, but per discussion with Curtis Hovey merge errors and so forth have largely rendered them out of data anyway.

lib/lp/scripts/utilities/settingsauditor.py
utilities/audit-security-settings.py
------------------------------------
Broke out the settings auditor into its own file, and expanded it to process each config block separately, both alphabetizing the permission settings and reporting on duplicates it finds in the file. It still doesn't automatically remove the settings, as a human may still need to determine which setting should be kept.

lib/lp/scripts/utilities/tests/test_audit_security_settings.py
--------------------------------------------------------------
Tests.

Tests
=====
bin/test -vvct test_audit

QA
==
qa-untestable

Lint
====
= Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
  = Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
  database/schema/security.cfg
  lib/lp/scripts/utilities/settingsauditor.py
  lib/lp/scripts/utilities/tests/test_audit_security_settings.py
  utilities/audit-security-settings.py

./database/schema/security.cfg
     705: Line exceeds 78 characters.
     706: Line exceeds 78 characters.
     707: Line exceeds 78 characters.
     734: Line exceeds 78 characters.
     736: Line exceeds 78 characters.
     789: Line exceeds 78 characters.
     798: Line exceeds 78 characters.
     803: Line exceeds 78 characters.
     814: Line exceeds 78 characters.
     837: Line exceeds 78 characters.
     850: Line exceeds 78 characters.
     851: Line exceeds 78 characters.
     860: Line exceeds 78 characters.
     881: Line exceeds 78 characters.
     882: Line exceeds 78 characters.
     890: Line exceeds 78 characters.
     911: Line exceeds 78 characters.
     986: Line exceeds 78 characters.
     996: Line exceeds 78 characters.
     997: Line exceeds 78 characters.
./utilities/audit-security-settings.py
      16: '_pythonpath' imported but unused

./database/schema/security.cfg
     705: Line exceeds 78 characters.
     706: Line exceeds 78 characters.
     707: Line exceeds 78 characters.
     734: Line exceeds 78 characters.
     736: Line exceeds 78 characters.
     789: Line exceeds 78 characters.
     798: Line exceeds 78 characters.
     803: Line exceeds 78 characters.
     814: Line exceeds 78 characters.
     837: Line exceeds 78 characters.
     850: Line exceeds 78 characters.
     851: Line exceeds 78 characters.
     860: Line exceeds 78 characters.
     881: Line exceeds 78 characters.
     882: Line exceeds 78 characters.
     890: Line exceeds 78 characters.
     911: Line exceeds 78 characters.
     986: Line exceeds 78 characters.
     996: Line exceeds 78 characters.
     997: Line exceeds 78 characters.
./utilities/audit-security-settings.py
      16: '_pythonpath' imported but unused

To post a comment you must log in.
Revision history for this message
Robert Collins (lifeless) wrote :

It might be nice to run this in lint.sh/

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'database/schema/security.cfg'
2--- database/schema/security.cfg 2011-05-03 04:39:43 +0000
3+++ database/schema/security.cfg 2011-05-03 22:22:53 +0000
4@@ -7,106 +7,88 @@
5 # creates new entries by first doing an insert (to get the id) and then
6 # issuing an update
7 [DEFAULT]
8-# Objects in these schemas are publicly readable or executable. *not* writable
9 public_schemas=ts2
10
11 [public]
12-# The public role is automatically granted to all users by PostgreSQL
13-type=group
14+public._killall_backends(text) =
15 public.activity() = EXECUTE
16-public.person_sort_key(text, text) = EXECUTE
17+public.add_test_openid_identifier(integer) = EXECUTE
18+public.alllocks =
19+public.assert_patch_applied(integer, integer, integer) = EXECUTE
20+public.bug_update_latest_patch_uploaded(integer) =
21+public.bugnotificationarchive =
22 public.calculate_bug_heat(integer) = EXECUTE
23 public.cursor_fetch(refcursor, integer) = EXECUTE
24+public.databasediskutilization =
25+public.debversion(character) = EXECUTE
26+public.debversion_cmp(debversion, debversion) = EXECUTE
27+public.debversion_eq(debversion, debversion) = EXECUTE
28+public.debversion_ge(debversion, debversion) = EXECUTE
29+public.debversion_gt(debversion, debversion) = EXECUTE
30+public.debversion_hash(debversion) = EXECUTE
31+public.debversion_larger(debversion, debversion) = EXECUTE
32+public.debversion_le(debversion, debversion) = EXECUTE
33+public.debversion_lt(debversion, debversion) = EXECUTE
34+public.debversion_ne(debversion, debversion) = EXECUTE
35+public.debversion_smaller(debversion, debversion) = EXECUTE
36 public.debversion_sort_key(text) = EXECUTE
37-public.milestone_sort_key(timestamp without time zone, text) = EXECUTE
38-public.version_sort_key(text) = EXECUTE
39-public.null_count(anyarray) = EXECUTE
40-public.valid_name(text) = EXECUTE
41-public.valid_bug_name(text) = EXECUTE
42-public.valid_branch_name(text) = EXECUTE
43-public.valid_debian_version(text) = EXECUTE
44-public.valid_cve(text) = EXECUTE
45-public.valid_absolute_url(text) = EXECUTE
46-public.valid_fingerprint(text) = EXECUTE
47-public.valid_keyid(text) = EXECUTE
48-public.valid_regexp(text) = EXECUTE
49-public.sane_version(text) = EXECUTE
50-public.sha1(text) = EXECUTE
51+public.debversionin(cstring) = EXECUTE
52+public.debversionout(debversion) = EXECUTE
53+public.debversionrecv(internal) = EXECUTE
54+public.debversionsend(debversion) = EXECUTE
55+public.exclusivelocks =
56+public.featureflag = SELECT
57+public.fticache =
58+public.generate_openid_identifier() = EXECUTE
59+public.getlocalnodeid() = EXECUTE
60 public.is_blacklisted_name(text, integer) = EXECUTE
61 public.is_person(text) = EXECUTE
62+public.is_printable_ascii(text) = EXECUTE
63 public.is_team(integer) = EXECUTE
64 public.is_team(text) = EXECUTE
65-public.is_printable_ascii(text) = EXECUTE
66+public.latestdatabasediskutilization =
67 public.launchpaddatabaserevision = SELECT
68-public.name_blacklist_match(text, integer) = EXECUTE
69-public.pillarname = SELECT
70-public.ulower(text) = EXECUTE
71-public.generate_openid_identifier() = EXECUTE
72-public.getlocalnodeid() = EXECUTE
73-public.replication_lag() = EXECUTE
74-public.replication_lag(integer) = EXECUTE
75-public.assert_patch_applied(integer, integer, integer) = EXECUTE
76-# Explicitly state 'no permissions on these objects' to silence
77-# security.py warnings.
78-public.fticache =
79-public.databasediskutilization =
80-public.latestdatabasediskutilization =
81-public.update_database_disk_utilization() =
82-public._killall_backends(text) =
83-public.exclusivelocks =
84-public.alllocks =
85-public.pgstattuple(oid) =
86-public.pgstattuple(text) =
87-public.bugnotificationarchive =
88 public.lp_account =
89 public.lp_openididentifier =
90+public.lp_person =
91 public.lp_personlocation =
92-public.lp_person =
93 public.lp_teamparticipation =
94-public.bug_update_latest_patch_uploaded(integer) =
95-# the currently active feature flags can be read by anyone
96-public.featureflag = SELECT
97-# Tests calling factory methods need to be able to create working
98-# accounts. We don't directly grant access to the OpenIdIdentifier table
99-# to the users these tests are running as we want to minimize the number
100-# of database users that can subvert accounts. Instead, we use a stored
101-# procedure. OpenId Identifiers created using this stored procedure are
102-# only useable by the test suite.
103-public.add_test_openid_identifier(integer) = EXECUTE
104-
105-# Functions introduced by the posgresql-debversion package.
106-public.debversionin(cstring) = EXECUTE
107-public.debversionout(debversion) = EXECUTE
108-public.debversionrecv(internal) = EXECUTE
109-public.debversionsend(debversion) = EXECUTE
110-public.debversion(character) = EXECUTE
111-public.debversion_cmp(debversion, debversion) = EXECUTE
112-public.debversion_eq(debversion, debversion) = EXECUTE
113-public.debversion_ne(debversion, debversion) = EXECUTE
114-public.debversion_lt(debversion, debversion) = EXECUTE
115-public.debversion_gt(debversion, debversion) = EXECUTE
116-public.debversion_le(debversion, debversion) = EXECUTE
117-public.debversion_ge(debversion, debversion) = EXECUTE
118-public.debversion_hash(debversion) = EXECUTE
119 public.max(debversion) = EXECUTE
120+public.milestone_sort_key(timestamp without time zone, text) = EXECUTE
121 public.min(debversion) = EXECUTE
122-public.debversion_smaller(debversion, debversion) = EXECUTE
123-public.debversion_larger(debversion, debversion) = EXECUTE
124+public.name_blacklist_match(text, integer) = EXECUTE
125+public.null_count(anyarray) = EXECUTE
126+public.person_sort_key(text, text) = EXECUTE
127+public.pgstattuple(oid) =
128+public.pgstattuple(text) =
129+public.pillarname = SELECT
130+public.replication_lag() = EXECUTE
131+public.replication_lag(integer) = EXECUTE
132+public.sane_version(text) = EXECUTE
133+public.sha1(text) = EXECUTE
134+public.ulower(text) = EXECUTE
135+public.update_database_disk_utilization() =
136+public.valid_absolute_url(text) = EXECUTE
137+public.valid_branch_name(text) = EXECUTE
138+public.valid_bug_name(text) = EXECUTE
139+public.valid_cve(text) = EXECUTE
140+public.valid_debian_version(text) = EXECUTE
141+public.valid_fingerprint(text) = EXECUTE
142+public.valid_keyid(text) = EXECUTE
143+public.valid_name(text) = EXECUTE
144+public.valid_regexp(text) = EXECUTE
145+public.version_sort_key(text) = EXECUTE
146+type=group
147
148 [ro]
149-# A user with full readonly access to the database. Generally used for
150-# interactive querying
151-type=user
152 groups=read
153+type=user
154
155 [testadmin]
156-# A user with full admin privileges used by the test suite
157-type=user
158 groups=admin
159+type=user
160
161 [launchpad_main]
162-# lpmain replication set access from the main Z3 application.
163-type=user
164 groups=write,script
165 public.account = SELECT, INSERT, UPDATE, DELETE
166 public.accountpassword = SELECT, INSERT, UPDATE, DELETE
167@@ -114,23 +96,23 @@
168 public.answercontact = SELECT, INSERT, UPDATE, DELETE
169 public.apportjob = SELECT, INSERT, UPDATE, DELETE
170 public.archive = SELECT, INSERT, UPDATE
171+public.archivearch = SELECT, INSERT, UPDATE, DELETE
172 public.archiveauthtoken = SELECT, INSERT, UPDATE
173+public.archivedependency = SELECT, INSERT, DELETE
174 public.archivejob = SELECT, INSERT, UPDATE, DELETE
175+public.archivepermission = SELECT, INSERT, UPDATE, DELETE
176 public.archivesubscriber = SELECT, INSERT, UPDATE
177-public.archivearch = SELECT, INSERT, UPDATE, DELETE
178-public.archivedependency = SELECT, INSERT, DELETE
179-public.archivepermission = SELECT, INSERT, UPDATE, DELETE
180 public.authtoken = SELECT, INSERT, UPDATE, DELETE
181 public.binaryandsourcepackagenameview = SELECT
182 public.binarypackagepublishinghistory = SELECT
183 public.binarypackagereleasedownloadcount= SELECT, INSERT, UPDATE
184 public.bountysubscription = SELECT, INSERT, UPDATE, DELETE
185-public.branchrevision = SELECT, INSERT, UPDATE, DELETE
186 public.branch = SELECT, INSERT, UPDATE, DELETE
187 public.branchjob = SELECT, INSERT, UPDATE, DELETE
188 public.branchmergeproposal = SELECT, INSERT, UPDATE, DELETE
189 public.branchmergeproposaljob = SELECT, INSERT, UPDATE, DELETE
190 public.branchmergequeue = SELECT, INSERT, UPDATE, DELETE
191+public.branchrevision = SELECT, INSERT, UPDATE, DELETE
192 public.branchsubscription = SELECT, INSERT, UPDATE, DELETE
193 public.branchvisibilitypolicy = SELECT, INSERT, UPDATE, DELETE
194 public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
195@@ -140,14 +122,14 @@
196 public.bugjob = SELECT, INSERT, UPDATE, DELETE
197 public.bugnomination = SELECT, UPDATE
198 public.bugnotification = SELECT, INSERT, UPDATE, DELETE
199+public.bugnotificationattachment = SELECT, INSERT
200 public.bugnotificationfilter = SELECT, INSERT, UPDATE, DELETE
201-public.bugnotificationattachment = SELECT, INSERT
202 public.bugnotificationrecipient = SELECT, INSERT, UPDATE, DELETE
203 public.bugnotificationrecipientarchive = SELECT, UPDATE
204 public.bugtag = SELECT, INSERT, DELETE
205-public.bugtrackerperson = SELECT, UPDATE
206 public.bugtrackercomponent = SELECT, INSERT, UPDATE
207 public.bugtrackercomponentgroup = SELECT, INSERT, UPDATE
208+public.bugtrackerperson = SELECT, UPDATE
209 public.bugwatchactivity = SELECT, INSERT, UPDATE
210 public.buildfarmjob = DELETE
211 public.codeimport = SELECT, INSERT, UPDATE, DELETE
212@@ -160,9 +142,9 @@
213 public.codereviewvote = SELECT, INSERT, UPDATE, DELETE
214 public.commercialsubscription = SELECT, INSERT, UPDATE, DELETE
215 public.continent = SELECT
216+public.customlanguagecode = SELECT, INSERT, UPDATE, DELETE
217+public.cve = SELECT, INSERT, UPDATE
218 public.cvereference = SELECT, INSERT
219-public.cve = SELECT, INSERT, UPDATE
220-public.customlanguagecode = SELECT, INSERT, UPDATE, DELETE
221 public.databasereplicationlag = SELECT
222 public.diff = SELECT, INSERT, UPDATE
223 public.distributionbounty = SELECT, INSERT, UPDATE
224@@ -172,32 +154,33 @@
225 public.distributionsourcepackagecache = SELECT
226 public.distroseriesdifference = SELECT, INSERT, UPDATE
227 public.distroseriesdifferencemessage = SELECT, INSERT, UPDATE
228+public.distroserieslanguage = SELECT, INSERT, UPDATE
229+public.distroseriespackagecache = SELECT
230 public.distroseriesparent = SELECT, INSERT, UPDATE, DELETE
231-public.distroserieslanguage = SELECT, INSERT, UPDATE
232-public.distroseriespackagecache = SELECT
233 public.emailaddress = SELECT, INSERT, UPDATE, DELETE
234 public.entitlement = SELECT, INSERT, UPDATE, DELETE
235 public.faq = SELECT, INSERT, UPDATE, DELETE
236+public.featuredproject = SELECT, INSERT, DELETE
237 public.featureflag = SELECT, INSERT, UPDATE, DELETE
238 public.featureflagchangelogentry = SELECT, INSERT, UPDATE
239-public.featuredproject = SELECT, INSERT, DELETE
240+public.flatpackagesetinclusion = SELECT, INSERT, UPDATE, DELETE
241+public.hwdevice = SELECT
242+public.hwdeviceclass = SELECT, INSERT, DELETE
243 public.hwdevicedriverlink = SELECT
244 public.hwdevicenamevariant = SELECT
245-public.hwdevice = SELECT
246-public.hwdeviceclass = SELECT, INSERT, DELETE
247 public.hwdriver = SELECT, INSERT
248 public.hwdrivernames = SELECT
249 public.hwdriverpackagenames = SELECT
250-public.hwsubmissiondevice = SELECT
251 public.hwsubmission = SELECT, INSERT, UPDATE
252 public.hwsubmissionbug = SELECT, INSERT, UPDATE, DELETE
253+public.hwsubmissiondevice = SELECT
254 public.hwsystemfingerprint = SELECT, INSERT
255+public.hwtest = SELECT
256+public.hwtestanswer = SELECT
257 public.hwtestanswerchoice = SELECT
258+public.hwtestanswercount = SELECT
259 public.hwtestanswercountdevice = SELECT
260-public.hwtestanswercount = SELECT
261 public.hwtestanswerdevice = SELECT
262-public.hwtestanswer = SELECT
263-public.hwtest = SELECT
264 public.hwvendorid = SELECT
265 public.hwvendorname = SELECT
266 public.incrementaldiff = SELECT, INSERT, UPDATE, DELETE
267@@ -216,8 +199,8 @@
268 public.mailinglistsubscription = SELECT, INSERT, UPDATE, DELETE
269 public.mentoringoffer = SELECT, INSERT, UPDATE, DELETE
270 public.mergedirectivejob = SELECT, INSERT, UPDATE, DELETE
271-public.messagechunk = SELECT, INSERT
272 public.messageapproval = SELECT, INSERT, UPDATE, DELETE
273+public.messagechunk = SELECT, INSERT
274 public.milestone = SELECT, INSERT, UPDATE, DELETE
275 public.mirrorcdimagedistroseries = SELECT, INSERT, DELETE
276 public.mirrordistroarchseries = SELECT, INSERT, DELETE, UPDATE
277@@ -228,48 +211,46 @@
278 public.oauthconsumer = SELECT, INSERT
279 public.oauthnonce = SELECT, INSERT
280 public.oauthrequesttoken = SELECT, INSERT, UPDATE, DELETE
281+public.officialbugtag = SELECT, INSERT, UPDATE, DELETE
282 public.openidconsumerassociation = SELECT, INSERT, UPDATE, DELETE
283 public.openidconsumernonce = SELECT, INSERT, UPDATE
284 public.openididentifier = SELECT, INSERT, UPDATE, DELETE
285-public.officialbugtag = SELECT, INSERT, UPDATE, DELETE
286 public.openidrpconfig = SELECT, INSERT, UPDATE, DELETE
287 public.packagebugsupervisor = SELECT, INSERT, UPDATE, DELETE
288+public.packagebuild = DELETE
289 public.packagecopyrequest = SELECT, INSERT, UPDATE
290-public.packagebuild = DELETE
291 public.packagediff = SELECT, INSERT, UPDATE, DELETE
292 public.packageset = SELECT, INSERT, UPDATE, DELETE
293 public.packagesetgroup = SELECT, INSERT, UPDATE, DELETE
294+public.packagesetinclusion = SELECT, INSERT, UPDATE, DELETE
295 public.packagesetsources = SELECT, INSERT, UPDATE, DELETE
296-public.packagesetinclusion = SELECT, INSERT, UPDATE, DELETE
297-public.flatpackagesetinclusion = SELECT, INSERT, UPDATE, DELETE
298 public.packaging = SELECT, INSERT, UPDATE, DELETE
299 public.packagingjob = SELECT, INSERT, UPDATE
300 public.personlanguage = SELECT, INSERT, UPDATE, DELETE
301 public.personlocation = SELECT, INSERT, UPDATE, DELETE
302+public.personnotification = SELECT, INSERT, UPDATE, DELETE
303 public.personsettings = SELECT, INSERT, UPDATE
304 public.persontransferjob = SELECT, INSERT, UPDATE, DELETE
305-public.personnotification = SELECT, INSERT, UPDATE, DELETE
306 public.pillarname = SELECT, INSERT, DELETE
307 public.poexportrequest = SELECT, INSERT, UPDATE, DELETE
308 public.pofiletranslator = SELECT
309+public.poll = SELECT, INSERT, UPDATE
310 public.polloption = SELECT, INSERT, UPDATE, DELETE
311-public.poll = SELECT, INSERT, UPDATE
312 public.potexport = SELECT
313 public.previewdiff = SELECT, INSERT, UPDATE, DELETE
314 public.productbounty = SELECT, INSERT, UPDATE
315 public.productrelease = SELECT, INSERT, UPDATE, DELETE
316 public.productreleasefile = SELECT, INSERT, DELETE
317 public.productseriescodeimport = SELECT, INSERT, UPDATE
318+public.project = SELECT
319+public.projectbounty = SELECT, INSERT, UPDATE
320 public.publisherconfig = SELECT, INSERT, UPDATE, DELETE
321-public.project = SELECT
322-public.projectbounty = SELECT, INSERT, UPDATE
323+public.question = SELECT, INSERT, UPDATE
324 public.questionbug = SELECT, INSERT, DELETE
325 public.questionjob = SELECT, INSERT, UPDATE, DELETE
326 public.questionmessage = SELECT, INSERT
327 public.questionreopening = SELECT, INSERT, UPDATE
328-public.question = SELECT, INSERT, UPDATE
329 public.questionsubscription = SELECT, INSERT, UPDATE, DELETE
330-public.translationrelicensingagreement = SELECT, INSERT, UPDATE
331 public.requestedcds = SELECT, INSERT, UPDATE, DELETE
332 public.revision = SELECT, INSERT, UPDATE
333 public.revisionauthor = SELECT, INSERT, UPDATE
334@@ -277,70 +258,68 @@
335 public.revisionnumber = SELECT, INSERT
336 public.revisionparent = SELECT, INSERT
337 public.scriptactivity = SELECT
338+public.seriessourcepackagebranch = SELECT, INSERT, UPDATE, DELETE
339 public.shipitreport = SELECT, INSERT
340 public.shipitsurvey = SELECT, INSERT, UPDATE
341+public.shipitsurveyanswer = SELECT, INSERT
342 public.shipitsurveyquestion = SELECT, INSERT
343-public.shipitsurveyanswer = SELECT, INSERT
344 public.shipitsurveyresult = SELECT, INSERT
345 public.shipment = SELECT, INSERT, UPDATE
346 public.shippingrequest = SELECT, INSERT, UPDATE, DELETE
347 public.shippingrun = SELECT, INSERT, UPDATE
348+public.sourcepackageformatselection = SELECT
349 public.sourcepackagepublishinghistory = SELECT
350-public.seriessourcepackagebranch = SELECT, INSERT, UPDATE, DELETE
351-public.sourcepackageformatselection = SELECT
352 public.sourcepackagerecipe = SELECT, INSERT, UPDATE, DELETE
353 public.sourcepackagerecipebuild = SELECT, INSERT, UPDATE, DELETE
354 public.sourcepackagerecipebuildjob = SELECT, INSERT, UPDATE, DELETE
355 public.sourcepackagerecipedata = SELECT, INSERT, UPDATE, DELETE
356+public.sourcepackagerecipedatainstruction = SELECT, INSERT, UPDATE, DELETE
357 public.sourcepackagerecipedistroseries = SELECT, INSERT, DELETE
358-public.sourcepackagerecipedatainstruction = SELECT, INSERT, UPDATE, DELETE
359+public.specification = SELECT, INSERT, UPDATE
360 public.specificationbranch = SELECT, INSERT, UPDATE, DELETE
361 public.specificationbug = SELECT, INSERT, DELETE
362 public.specificationdependency = SELECT, INSERT, DELETE
363 public.specificationfeedback = SELECT, INSERT, UPDATE, DELETE
364 public.specificationmessage = SELECT, INSERT
365-public.specification = SELECT, INSERT, UPDATE
366 public.specificationsubscription = SELECT, INSERT, UPDATE, DELETE
367 public.spokenin = SELECT, INSERT, DELETE
368+public.sprint = SELECT, INSERT, UPDATE
369 public.sprintattendance = SELECT, INSERT, UPDATE, DELETE
370-public.sprint = SELECT, INSERT, UPDATE
371 public.sprintspecification = SELECT, INSERT, UPDATE, DELETE
372 public.standardshipitrequest = SELECT, INSERT, UPDATE, DELETE
373 public.staticdiff = SELECT, INSERT, UPDATE
374 public.structuralsubscription = SELECT, INSERT, UPDATE, DELETE
375+public.subunitstream = SELECT, INSERT, UPDATE, DELETE
376 public.suggestivepotemplate = SELECT, INSERT, DELETE
377-public.subunitstream = SELECT, INSERT, UPDATE, DELETE
378 public.temporaryblobstorage = SELECT, INSERT, DELETE
379 public.translationgroup = SELECT, INSERT, UPDATE
380 public.translationimportqueueentry = SELECT, INSERT, UPDATE, DELETE
381 public.translationmessage = SELECT, INSERT, UPDATE, DELETE
382+public.translationrelicensingagreement = SELECT, INSERT, UPDATE
383 public.translationtemplatesbuild = SELECT, INSERT, UPDATE, DELETE
384 public.translator = SELECT, INSERT, UPDATE, DELETE
385+public.usertouseremail = SELECT, INSERT, UPDATE
386 public.validpersoncache = SELECT
387 public.validpersonorteamcache = SELECT
388+public.vote = SELECT, INSERT, UPDATE
389 public.votecast = SELECT, INSERT
390-public.vote = SELECT, INSERT, UPDATE
391 public.webserviceban = SELECT, INSERT, UPDATE, DELETE
392 public.wikiname = SELECT, INSERT, UPDATE, DELETE
393-public.usertouseremail = SELECT, INSERT, UPDATE
394+type=user
395
396 [launchpad]
397-# This user exists for backwards compatibility - it is an alias to
398-# lanunchpad_main. There are a number of users in production that
399-# have been assigned this role that I don't want to recreate just now.
400-type=user
401 groups=launchpad_main
402+type=user
403
404 [script]
405-# Permissions required by all scripts.
406-type=group
407 public.scriptactivity = SELECT, INSERT
408+type=group
409
410 [statistician]
411-type=user
412 groups=script
413 public.archive = SELECT, UPDATE
414 public.archivearch = SELECT, UPDATE
415+public.binarypackagebuild = SELECT
416 public.binarypackagename = SELECT
417 public.binarypackagepublishinghistory = SELECT
418 public.binarypackagerelease = SELECT
419@@ -349,8 +328,6 @@
420 public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
421 public.bugtask = SELECT
422 public.buildfarmjob = SELECT
423-public.packagebuild = SELECT
424-public.binarypackagebuild = SELECT
425 public.distribution = SELECT
426 public.distributionsourcepackagecache = SELECT, INSERT, UPDATE, DELETE
427 public.distroarchseries = SELECT, UPDATE
428@@ -359,13 +336,12 @@
429 public.distroseriespackagecache = SELECT, INSERT, UPDATE, DELETE
430 public.language = SELECT
431 public.launchpadstatistic = SELECT, INSERT, UPDATE, DELETE
432+public.packagebuild = SELECT
433 public.person = SELECT
434-public.validpersoncache = SELECT
435-public.validpersonorteamcache = SELECT
436-public.potemplate = SELECT
437 public.pofile = SELECT
438 public.pofiletranslator = SELECT
439 public.pomsgid = SELECT
440+public.potemplate = SELECT
441 public.potmsgset = SELECT
442 public.product = SELECT
443 public.productseries = SELECT
444@@ -377,46 +353,47 @@
445 public.subunitstream = SELECT
446 public.translationmessage = SELECT, INSERT, UPDATE
447 public.translationtemplateitem = SELECT
448+public.validpersoncache = SELECT
449+public.validpersonorteamcache = SELECT
450+type=user
451
452 [librarian]
453-type=user
454 public.libraryfilealias = SELECT, INSERT, UPDATE
455 public.libraryfilecontent = SELECT, INSERT
456+type=user
457
458 [librarianlogparser]
459-type=user
460 groups=script
461 public.country = SELECT
462 public.libraryfilealias = SELECT, UPDATE
463 public.libraryfiledownloadcount = SELECT, INSERT, UPDATE
464 public.parsedapachelog = SELECT, INSERT, UPDATE
465+type=user
466
467 [librariangc]
468-type=user
469 groups=script
470 public.apportjob = SELECT, DELETE
471-public.job = SELECT, DELETE
472-public.libraryfilealias = SELECT, UPDATE, DELETE
473-public.libraryfilecontent = SELECT, UPDATE, DELETE
474-# This user needs select on every table that references LibraryFileAlias
475+public.binarypackagebuild = SELECT
476 public.binarypackagefile = SELECT
477 public.branchmergeproposal = SELECT
478 public.bugattachment = SELECT
479 public.buildfarmjob = SELECT
480-public.packagebuild = SELECT
481-public.binarypackagebuild = SELECT
482 public.codeimportresult = SELECT
483 public.diff = SELECT
484 public.distribution = SELECT
485 public.distributionmirror = SELECT
486+public.hwsubmission = SELECT
487+public.job = SELECT, DELETE
488 public.languagepack = SELECT
489-public.hwsubmission = SELECT
490+public.libraryfilealias = SELECT, UPDATE, DELETE
491+public.libraryfilecontent = SELECT, UPDATE, DELETE
492 public.mergedirectivejob = SELECT
493 public.message = SELECT
494+public.messageapproval = SELECT
495 public.messagechunk = SELECT
496-public.messageapproval = SELECT
497 public.mirrorproberecord = SELECT
498 public.openidrpconfig = SELECT
499+public.packagebuild = SELECT
500 public.packagediff = SELECT
501 public.packageupload = SELECT
502 public.packageuploadcustom = SELECT
503@@ -427,37 +404,33 @@
504 public.product = SELECT
505 public.productreleasefile = SELECT
506 public.project = SELECT
507-public.subunitstream = SELECT
508 public.shipitreport = SELECT
509 public.shippingrun = SELECT
510+public.sourcepackagerecipebuild = SELECT
511+public.sourcepackagerelease = SELECT
512+public.sourcepackagereleasefile = SELECT
513 public.sprint = SELECT
514-public.sourcepackagerelease = SELECT
515-public.sourcepackagereleasefile = SELECT
516-public.sourcepackagerecipebuild = SELECT
517+public.subunitstream = SELECT
518 public.temporaryblobstorage = SELECT, DELETE
519 public.translationimportqueueentry = SELECT
520+type=user
521
522 [productreleasefinder]
523-# Dyson release import script
524-type=user
525 groups=script
526 public.bug = SELECT
527 public.bugtask = SELECT, UPDATE
528-public.product = SELECT
529-public.productseries = SELECT
530-public.productrelease = SELECT, INSERT, UPDATE
531-public.productreleasefile = SELECT, INSERT, UPDATE
532-# Needed only because SQLobject does things...
533-public.person = SELECT
534-# Needed to write to the librarian
535 public.libraryfilealias = SELECT, INSERT
536 public.libraryfilecontent = SELECT, INSERT
537 public.milestone = SELECT, INSERT
538+public.person = SELECT
539+public.product = SELECT
540+public.productrelease = SELECT, INSERT, UPDATE
541+public.productreleasefile = SELECT, INSERT, UPDATE
542+public.productseries = SELECT
543 public.sourcepackagename = SELECT
544+type=user
545
546 [pofilestats]
547-# Translations POFile statistics verification/update script
548-type=user
549 groups=script
550 public.language = SELECT
551 public.pofile = SELECT, UPDATE
552@@ -465,18 +438,15 @@
553 public.potmsgset = SELECT
554 public.translationmessage = SELECT
555 public.translationtemplateitem = SELECT
556+type=user
557
558 [pofilestats_daily]
559-# Daily POFile statistics verification/update script
560-type=user
561 groups=pofilestats
562+public.distroseries = SELECT
563 public.productseries = SELECT
564-public.distroseries = SELECT
565-
566+type=user
567
568 [poimport]
569-# Rosetta import script
570-type=user
571 groups=write,script
572 public.account = SELECT, INSERT
573 public.customlanguagecode = SELECT
574@@ -487,14 +457,13 @@
575 public.translator = SELECT
576 public.validpersoncache = SELECT
577 public.validpersonorteamcache = SELECT
578+type=user
579
580 [translations_distroseries_copy]
581-type=user
582 groups=poimport
583+type=user
584
585 [translations_import_queue_gardener]
586-# Translations import queue management
587-type=user
588 groups=script,translations_approval
589 public.karma = SELECT, INSERT, UPDATE
590 public.karmaaction = SELECT
591@@ -502,10 +471,9 @@
592 public.translationimportqueueentry = SELECT, DELETE, UPDATE
593 public.translationmessage = SELECT, INSERT, UPDATE
594 public.validpersoncache = SELECT
595+type=user
596
597 [poexport]
598-# Rosetta export script
599-type=user
600 groups=script
601 public.distribution = SELECT
602 public.distroseries = SELECT
603@@ -531,10 +499,9 @@
604 public.translator = SELECT
605 public.validpersoncache = SELECT
606 public.validpersonorteamcache = SELECT
607+type=user
608
609 [langpack]
610-# Language pack exporter script
611-type=user
612 groups=script
613 public.distribution = SELECT
614 public.distroseries = SELECT, UPDATE
615@@ -560,15 +527,14 @@
616 public.translator = SELECT
617 public.validpersoncache = SELECT
618 public.validpersonorteamcache = SELECT
619+type=user
620
621 [checkwatches]
622-# Malone bug watch script
623-type=user
624 groups=script
625 public.account = SELECT, INSERT
626 public.accountpassword = SELECT, INSERT
627+public.answercontact = SELECT
628 public.archive = SELECT
629-public.answercontact = SELECT
630 public.binarypackagebuild = SELECT
631 public.binarypackagename = SELECT
632 public.binarypackagepublishinghistory = SELECT
633@@ -585,8 +551,8 @@
634 public.bugnotificationrecipient = SELECT, INSERT
635 public.bugsubscription = SELECT
636 public.bugsubscriptionfilter = SELECT
637+public.bugsubscriptionfilterimportance = SELECT
638 public.bugsubscriptionfilterstatus = SELECT
639-public.bugsubscriptionfilterimportance = SELECT
640 public.bugsubscriptionfiltertag = SELECT
641 public.bugtag = SELECT
642 public.bugtask = SELECT, INSERT, UPDATE
643@@ -606,22 +572,22 @@
644 public.language = SELECT
645 public.libraryfilealias = SELECT, INSERT
646 public.libraryfilecontent = SELECT, INSERT
647+public.message = SELECT, INSERT
648 public.messagechunk = SELECT, INSERT
649-public.message = SELECT, INSERT
650 public.milestone = SELECT
651 public.packagebugsupervisor = SELECT
652 public.person = SELECT, INSERT, UPDATE
653+public.personlanguage = SELECT
654 public.personsettings = SELECT, INSERT
655-public.personlanguage = SELECT
656 public.product = SELECT, UPDATE
657 public.productseries = SELECT
658 public.project = SELECT, UPDATE
659+public.question = SELECT
660 public.questionbug = SELECT
661-public.question = SELECT
662 public.questionsubscription = SELECT
663 public.section = SELECT
664+public.sourcepackagename = SELECT
665 public.sourcepackagepublishinghistory = SELECT
666-public.sourcepackagename = SELECT
667 public.sourcepackagerelease = SELECT
668 public.structuralsubscription = SELECT
669 public.teammembership = SELECT
670@@ -629,9 +595,9 @@
671 public.validpersoncache = SELECT
672 public.validpersonorteamcache = SELECT
673 public.wikiname = SELECT, INSERT
674+type=user
675
676 [branchscanner]
677-type=user
678 groups=write, script
679 public.account = SELECT, INSERT
680 public.accountpassword = SELECT, INSERT
681@@ -642,18 +608,31 @@
682 public.branchrevision = SELECT, INSERT, UPDATE, DELETE
683 public.branchsubscription = SELECT
684 public.branchvisibilitypolicy = SELECT
685+public.bugactivity = SELECT, INSERT
686+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
687 public.bugbranch = SELECT, INSERT, UPDATE
688+public.bugnotification = SELECT, INSERT
689+public.bugnotificationfilter = SELECT, INSERT
690+public.bugnotificationrecipient = SELECT, INSERT
691+public.bugsubscription = SELECT
692+public.bugsubscriptionfilter = SELECT
693+public.bugsubscriptionfilterimportance = SELECT
694+public.bugsubscriptionfilterstatus = SELECT
695+public.bugsubscriptionfiltertag = SELECT
696+public.bugtag = SELECT
697+public.codereviewmessage = SELECT
698+public.codereviewvote = SELECT
699 public.diff = SELECT, INSERT, DELETE
700-public.distroseries = SELECT
701 public.distribution = SELECT
702 public.distributionsourcepackage = SELECT, UPDATE
703+public.distroseries = SELECT
704 public.emailaddress = SELECT
705 public.incrementaldiff = SELECT
706 public.job = SELECT, INSERT, UPDATE, DELETE
707-public.translationtemplatesbuild = SELECT, INSERT
708-# Karma
709 public.karma = SELECT, INSERT
710 public.karmaaction = SELECT
711+public.message = SELECT, INSERT
712+public.messagechunk = SELECT, INSERT
713 public.person = SELECT
714 public.revision = SELECT, INSERT, UPDATE
715 public.revisionauthor = SELECT, INSERT, UPDATE
716@@ -666,29 +645,13 @@
717 public.sourcepackagerecipedata = SELECT
718 public.sourcepackagerecipedatainstruction = SELECT
719 public.staticdiff = SELECT, INSERT, DELETE
720+public.structuralsubscription = SELECT
721+public.translationtemplatesbuild = SELECT, INSERT
722 public.validpersoncache = SELECT
723 public.validpersonorteamcache = SELECT
724-# Bug notifications
725-public.bugactivity = SELECT, INSERT
726-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
727-public.bugsubscription = SELECT
728-public.bugsubscriptionfilter = SELECT
729-public.bugsubscriptionfilterstatus = SELECT
730-public.bugsubscriptionfilterimportance = SELECT
731-public.bugsubscriptionfiltertag = SELECT
732-public.bugnotification = SELECT, INSERT
733-public.bugnotificationfilter = SELECT, INSERT
734-public.bugnotificationrecipient = SELECT, INSERT
735-public.bugtag = SELECT
736-public.structuralsubscription = SELECT
737-public.message = SELECT, INSERT
738-public.messagechunk = SELECT, INSERT
739-# Merge notifications
740-public.codereviewvote = SELECT
741-public.codereviewmessage = SELECT
742+type=user
743
744 [branch-distro]
745-type=user
746 public.branch = SELECT, INSERT, UPDATE
747 public.branchrevision = SELECT, INSERT
748 public.branchsubscription = SELECT, INSERT
749@@ -703,38 +666,37 @@
750 public.sourcepackagename = SELECT
751 public.teamparticipation = SELECT
752 public.validpersoncache = SELECT
753-
754+type=user
755
756 [targetnamecacheupdater]
757-type=user
758 groups=script
759+public.binarypackagename = SELECT
760 public.bugtask = SELECT, UPDATE
761-public.product = SELECT
762-public.productseries = SELECT
763 public.distribution = SELECT
764 public.distroseries = SELECT
765-public.sourcepackagename = SELECT
766-public.binarypackagename = SELECT
767 public.potemplate = SELECT, UPDATE
768+public.product = SELECT
769+public.productseries = SELECT
770+public.sourcepackagename = SELECT
771+type=user
772
773 [distributionmirror]
774-type=user
775 groups=script
776 public.account = SELECT
777 public.archive = SELECT
778 public.archivearch = SELECT
779+public.binarypackagebuild = SELECT
780 public.binarypackagefile = SELECT
781 public.binarypackagename = SELECT
782+public.binarypackagepublishinghistory = SELECT
783 public.binarypackagerelease = SELECT
784 public.buildfarmjob = SELECT
785-public.packagebuild = SELECT
786-public.binarypackagebuild = SELECT
787 public.component = SELECT
788 public.componentselection = SELECT
789 public.distribution = SELECT
790 public.distributionmirror = SELECT, UPDATE
791+public.distroarchseries = SELECT
792 public.distroseries = SELECT
793-public.distroarchseries = SELECT
794 public.emailaddress = SELECT
795 public.libraryfilealias = SELECT, INSERT
796 public.libraryfilecontent = SELECT, INSERT
797@@ -742,77 +704,74 @@
798 public.mirrordistroarchseries = SELECT, UPDATE, DELETE, INSERT
799 public.mirrordistroseriessource = SELECT, UPDATE, DELETE, INSERT
800 public.mirrorproberecord = SELECT, INSERT
801+public.packagebuild = SELECT
802 public.person = SELECT
803 public.processorfamily = SELECT
804+public.sourcepackagename = SELECT
805 public.sourcepackagepublishinghistory = SELECT
806-public.binarypackagepublishinghistory = SELECT
807 public.sourcepackagerelease = SELECT
808 public.sourcepackagereleasefile = SELECT
809-public.sourcepackagename = SELECT
810 public.teammembership = SELECT
811+type=user
812
813 [teammembership]
814-# Update the TeamMembership table setting expired members
815-type=user
816 groups=script
817+public.emailaddress = SELECT
818+public.job = SELECT, INSERT
819+public.person = SELECT
820+public.persontransferjob = SELECT, INSERT
821 public.teammembership = SELECT, UPDATE
822 public.teamparticipation = SELECT, DELETE
823-public.person = SELECT
824-public.emailaddress = SELECT
825-public.job = SELECT, INSERT
826-public.persontransferjob = SELECT, INSERT
827+type=user
828
829 [karma]
830-# Update the KarmaCache table
831-type=user
832 groups=script
833+public.emailaddress = SELECT
834+public.karma = SELECT
835+public.karmaaction = SELECT
836 public.karmacache = SELECT, INSERT, UPDATE, DELETE
837-public.karma = SELECT
838 public.karmacategory = SELECT
839-public.karmaaction = SELECT
840 public.karmatotalcache = SELECT, INSERT, UPDATE, DELETE
841-public.emailaddress = SELECT
842 public.person = SELECT
843 public.product = SELECT
844 public.validpersoncache = SELECT
845 public.validpersonorteamcache = SELECT
846+type=user
847
848 [request-daily-builds]
849-type=user
850 groups=script
851 public.archive = SELECT
852 public.archivepermission = SELECT
853-public.buildqueue = SELECT, INSERT, UPDATE
854 public.branch = SELECT
855 public.buildfarmjob = SELECT, INSERT
856+public.buildqueue = SELECT, INSERT, UPDATE
857 public.component = SELECT
858 public.distribution = SELECT
859+public.distroarchseries = SELECT
860 public.distroseries = SELECT
861-public.distroarchseries = SELECT
862 public.job = SELECT, INSERT
863+public.packagebuild = SELECT, INSERT
864 public.person = SELECT
865-public.packagebuild = SELECT, INSERT
866 public.processor = SELECT
867 public.processorfamily = SELECT
868+public.sourcepackagename = SELECT
869 public.sourcepackagerecipe = SELECT, UPDATE
870-public.sourcepackagename = SELECT
871 public.sourcepackagerecipebuild = SELECT, INSERT
872 public.sourcepackagerecipebuildjob = SELECT, INSERT
873 public.sourcepackagerecipedata = SELECT
874 public.sourcepackagerecipedistroseries = SELECT
875 public.teamparticipation = SELECT
876+type=user
877
878 [revisionkarma]
879-# Allocate karma for revisions.
880-type=user
881 groups=script
882 public.branch = SELECT
883 public.branchrevision = SELECT
884 public.distribution = SELECT
885 public.distroseries = SELECT
886 public.karma = SELECT, INSERT
887+public.karmaaction = SELECT
888 public.karmacategory = SELECT
889-public.karmaaction = SELECT
890 public.person = SELECT
891 public.product = SELECT
892 public.productseries = SELECT
893@@ -820,163 +779,158 @@
894 public.revisionauthor = SELECT
895 public.sourcepackagename = SELECT
896 public.validpersoncache = SELECT
897+type=user
898
899 [cve]
900-type=user
901 groups=script
902 public.cve = SELECT, INSERT, UPDATE
903 public.cvereference = SELECT, INSERT, UPDATE, DELETE
904-
905+type=user
906
907 [gina]
908-# Unpack sourcepackages and extract metadata
909-type=user
910 groups=write,script
911 public.account = SELECT, INSERT
912 public.accountpassword = SELECT, INSERT
913 public.archive = SELECT, UPDATE
914 public.archivearch = SELECT, UPDATE
915+public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
916 public.distribution = SELECT
917 public.distributionjob = SELECT, INSERT
918 public.distributionsourcepackage = SELECT, INSERT
919 public.packagediff = SELECT, INSERT, UPDATE
920-public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
921 public.sourcepackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
922+type=user
923
924 [archivepublisher]
925-type=user
926 groups=write,script
927+public.answercontact = SELECT
928 public.archive = SELECT, UPDATE
929 public.archivearch = SELECT
930 public.archiveauthtoken = SELECT, UPDATE
931 public.archivepermission = SELECT, INSERT
932 public.archivesubscriber = SELECT, UPDATE
933+public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
934+public.bug = SELECT, UPDATE
935+public.bugactivity = SELECT, INSERT
936+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
937+public.bugcve = SELECT, INSERT
938+public.bugmessage = SELECT, INSERT
939+public.bugnomination = SELECT
940+public.bugnotification = SELECT, INSERT
941+public.bugnotificationfilter = SELECT, INSERT
942+public.bugnotificationrecipient = SELECT, INSERT
943+public.bugsubscription = SELECT
944+public.bugsubscriptionfilter = SELECT
945+public.bugsubscriptionfilterimportance = SELECT
946+public.bugsubscriptionfilterstatus = SELECT
947+public.bugsubscriptionfiltertag = SELECT
948+public.bugtag = SELECT
949+public.bugtask = SELECT, UPDATE
950+public.bugtracker = SELECT, INSERT
951+public.bugtrackeralias = SELECT, INSERT
952+public.bugwatch = SELECT, INSERT
953+public.cve = SELECT, INSERT
954 public.distributionjob = SELECT, INSERT, DELETE
955+public.distributionsourcepackage = SELECT, INSERT, UPDATE
956+public.flatpackagesetinclusion = SELECT, INSERT, UPDATE, DELETE
957 public.gpgkey = SELECT, INSERT, UPDATE
958+public.karma = SELECT, INSERT
959+public.karmaaction = SELECT
960+public.language = SELECT
961+public.message = SELECT, INSERT
962+public.messagechunk = SELECT, INSERT
963+public.milestone = SELECT
964+public.packagebugsupervisor = SELECT
965 public.packagecopyrequest = SELECT, INSERT, UPDATE
966 public.packagediff = SELECT, INSERT, UPDATE
967 public.packageset = SELECT, INSERT
968 public.packagesetgroup = SELECT
969+public.packagesetinclusion = SELECT, INSERT, UPDATE, DELETE
970 public.packagesetsources = SELECT, INSERT, UPDATE, DELETE
971-public.packagesetinclusion = SELECT, INSERT, UPDATE, DELETE
972-# INSERT for publisherconfig only required for the test suite.
973+public.personlanguage = SELECT
974+public.product = SELECT
975+public.productseries = SELECT
976+public.project = SELECT
977 public.publisherconfig = SELECT, INSERT
978-public.flatpackagesetinclusion = SELECT, INSERT, UPDATE, DELETE
979-public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
980+public.question = SELECT
981+public.questionbug = SELECT
982+public.questionsubscription = SELECT
983 public.sourcepackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
984-public.distributionsourcepackage = SELECT, INSERT, UPDATE
985-
986-# Closing bugs for publication copies.
987-public.bug = SELECT, UPDATE
988-public.bugactivity = SELECT, INSERT
989-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
990-public.bugsubscription = SELECT
991-public.bugsubscriptionfilter = SELECT
992-public.bugsubscriptionfilterstatus = SELECT
993-public.bugsubscriptionfilterimportance = SELECT
994-public.bugsubscriptionfiltertag = SELECT
995-public.bugnotification = SELECT, INSERT
996-public.bugnotificationfilter = SELECT, INSERT
997-public.bugnotificationrecipient = SELECT, INSERT
998-public.bugnomination = SELECT
999-public.bugtag = SELECT
1000-public.bugtask = SELECT, UPDATE
1001-public.product = SELECT
1002-public.project = SELECT
1003-public.bugmessage = SELECT, INSERT
1004-public.message = SELECT, INSERT
1005-public.messagechunk = SELECT, INSERT
1006-public.productseries = SELECT
1007+public.structuralsubscription = SELECT
1008 public.validpersoncache = SELECT
1009 public.validpersonorteamcache = SELECT
1010-public.karmaaction = SELECT
1011-public.karma = SELECT, INSERT
1012-public.questionbug = SELECT
1013-public.question = SELECT
1014-public.packagebugsupervisor = SELECT
1015-public.milestone = SELECT
1016-public.bugwatch = SELECT, INSERT
1017-public.bugtracker = SELECT, INSERT
1018-public.bugtrackeralias = SELECT, INSERT
1019-public.cve = SELECT, INSERT
1020-public.bugcve = SELECT, INSERT
1021-public.language = SELECT
1022-public.questionsubscription = SELECT
1023-public.answercontact = SELECT
1024-public.personlanguage = SELECT
1025-public.structuralsubscription = SELECT
1026+type=user
1027
1028 [fiera]
1029-type=user
1030 groups=script,translations_approval
1031 public.account = SELECT
1032 public.archive = SELECT, UPDATE
1033 public.archivearch = SELECT, UPDATE
1034 public.archivedependency = SELECT
1035+public.binarypackagebuild = SELECT, INSERT, UPDATE
1036+public.binarypackagefile = SELECT
1037+public.binarypackagename = SELECT
1038+public.binarypackagepublishinghistory = SELECT
1039+public.binarypackagerelease = SELECT
1040 public.branch = SELECT
1041 public.branchjob = SELECT, DELETE
1042-public.buildqueue = SELECT, INSERT, UPDATE, DELETE
1043-public.job = SELECT, INSERT, UPDATE, DELETE
1044-public.buildpackagejob = SELECT, INSERT, UPDATE, DELETE
1045 public.builder = SELECT, INSERT, UPDATE
1046 public.buildfarmjob = SELECT, INSERT, UPDATE
1047-public.packagebuild = SELECT, INSERT, UPDATE
1048-public.binarypackagebuild = SELECT, INSERT, UPDATE
1049+public.buildpackagejob = SELECT, INSERT, UPDATE, DELETE
1050+public.buildqueue = SELECT, INSERT, UPDATE, DELETE
1051+public.component = SELECT
1052 public.distribution = SELECT, UPDATE
1053-public.distroseries = SELECT, UPDATE
1054 public.distroarchseries = SELECT, UPDATE
1055-public.sourcepackagepublishinghistory = SELECT
1056-public.sourcepackagerelease = SELECT
1057-public.sourcepackagereleasefile = SELECT
1058-public.sourcepackagename = SELECT
1059-public.binarypackagepublishinghistory = SELECT
1060-public.binarypackagerelease = SELECT
1061-public.binarypackagefile = SELECT
1062-public.binarypackagename = SELECT
1063+public.distroseries = SELECT, UPDATE
1064+public.emailaddress = SELECT
1065+public.flatpackagesetinclusion = SELECT
1066+public.gpgkey = SELECT
1067+public.job = SELECT, INSERT, UPDATE, DELETE
1068 public.libraryfilealias = SELECT, INSERT
1069 public.libraryfilecontent = SELECT, INSERT
1070-public.processor = SELECT
1071-public.processorfamily = SELECT
1072+public.packagebuild = SELECT, INSERT, UPDATE
1073+public.packageset = SELECT
1074+public.packagesetgroup = SELECT
1075+public.packagesetinclusion = SELECT
1076+public.packagesetsources = SELECT
1077+public.person = SELECT
1078 public.pocketchroot = SELECT, INSERT, UPDATE
1079+public.processor = SELECT
1080+public.processorfamily = SELECT
1081 public.product = SELECT
1082 public.productseries = SELECT
1083+public.publisherconfig = SELECT
1084+public.section = SELECT
1085 public.seriessourcepackagebranch = SELECT
1086-public.component = SELECT
1087-public.section = SELECT
1088+public.sourcepackagename = SELECT
1089+public.sourcepackagepublishinghistory = SELECT
1090 public.sourcepackagerecipe = SELECT
1091 public.sourcepackagerecipebuild = SELECT, UPDATE
1092 public.sourcepackagerecipebuildjob = SELECT, INSERT, UPDATE, DELETE
1093 public.sourcepackagerecipedata = SELECT
1094 public.sourcepackagerecipedatainstruction = SELECT
1095-public.person = SELECT
1096-public.emailaddress = SELECT
1097+public.sourcepackagerelease = SELECT
1098+public.sourcepackagereleasefile = SELECT
1099 public.teammembership = SELECT
1100-public.gpgkey = SELECT
1101-public.packageset = SELECT
1102-public.packagesetgroup = SELECT
1103-public.packagesetsources = SELECT
1104-public.packagesetinclusion = SELECT
1105-public.flatpackagesetinclusion = SELECT
1106 public.teamparticipation = SELECT
1107 public.translationimportqueueentry = SELECT, INSERT, UPDATE
1108 public.translationtemplatesbuild = SELECT, INSERT
1109-public.publisherconfig = SELECT
1110+type=user
1111
1112 [ppa-apache-log-parser]
1113-type=user
1114 groups=script
1115-public.person = SELECT
1116 public.archive = SELECT
1117+public.binarypackagefile = SELECT
1118 public.binarypackagepublishinghistory = SELECT
1119 public.binarypackagerelease = SELECT
1120-public.binarypackagefile = SELECT
1121-public.libraryfilealias = SELECT
1122 public.binarypackagereleasedownloadcount = SELECT, INSERT, UPDATE
1123 public.country = SELECT
1124+public.libraryfilealias = SELECT
1125 public.parsedapachelog = SELECT, INSERT, UPDATE
1126+public.person = SELECT
1127+type=user
1128
1129 [initialisedistroseries]
1130-type=user
1131 groups=script
1132 public.archive = SELECT
1133 public.archivepermission = SELECT, INSERT
1134@@ -1015,9 +969,9 @@
1135 public.sourcepackagepublishinghistory = SELECT, INSERT
1136 public.sourcepackagerelease = SELECT
1137 public.sourcepackagereleasefile = SELECT
1138+type=user
1139
1140 [sync_packages]
1141-type=user
1142 groups=script
1143 public.archive = SELECT
1144 public.archivepermission = SELECT, INSERT
1145@@ -1058,9 +1012,9 @@
1146 public.sourcepackagepublishinghistory = SELECT, INSERT
1147 public.sourcepackagerelease = SELECT
1148 public.sourcepackagereleasefile = SELECT, INSERT, UPDATE
1149+type=user
1150
1151 [distroseriesdifferencejob]
1152-type=user
1153 groups=script
1154 public.archive = SELECT
1155 public.distribution = SELECT
1156@@ -1075,21 +1029,20 @@
1157 public.sourcepackagename = SELECT
1158 public.sourcepackagepublishinghistory = SELECT
1159 public.sourcepackagerelease = SELECT
1160+type=user
1161
1162 [write]
1163-type=group
1164-# Full access except for tables that are exclusively updated by
1165-# certain processes, such as the librarian tables. This group is deprecated -
1166-# access should be explicitly granted to users.
1167 public.account = SELECT, INSERT, UPDATE
1168 public.accountpassword = SELECT, INSERT
1169 public.archive = SELECT, INSERT, UPDATE
1170+public.archivearch = SELECT, INSERT, UPDATE, DELETE
1171 public.archivejob = SELECT, INSERT
1172-public.archivearch = SELECT, INSERT, UPDATE, DELETE
1173-public.binarypackagerelease = SELECT, INSERT, UPDATE
1174+public.binarypackagebuild = SELECT, INSERT, UPDATE
1175 public.binarypackagefile = SELECT, INSERT, UPDATE
1176 public.binarypackagefilepublishing = SELECT, INSERT, UPDATE
1177 public.binarypackagename = SELECT, INSERT, UPDATE
1178+public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
1179+public.binarypackagerelease = SELECT, INSERT, UPDATE
1180 public.bounty = SELECT, INSERT, UPDATE
1181 public.bountymessage = SELECT, INSERT
1182 public.branch = SELECT, INSERT, UPDATE
1183@@ -1103,36 +1056,30 @@
1184 public.bugproductinfestation = SELECT, INSERT, UPDATE
1185 public.bugsubscription = SELECT, INSERT, UPDATE, DELETE
1186 public.bugsubscriptionfilter = SELECT, INSERT, UPDATE, DELETE
1187+public.bugsubscriptionfilterimportance = SELECT, INSERT, UPDATE, DELETE
1188 public.bugsubscriptionfiltermute = SELECT, INSERT, UPDATE, DELETE
1189 public.bugsubscriptionfilterstatus = SELECT, INSERT, UPDATE, DELETE
1190-public.bugsubscriptionfilterimportance = SELECT, INSERT, UPDATE, DELETE
1191 public.bugsubscriptionfiltertag = SELECT, INSERT, UPDATE, DELETE
1192 public.bugtask = SELECT, INSERT, UPDATE, DELETE
1193 public.bugtracker = SELECT, INSERT, UPDATE, DELETE
1194 public.bugtrackeralias = SELECT, INSERT, UPDATE, DELETE
1195 public.bugwatch = SELECT, INSERT, UPDATE, DELETE
1196-public.buildfarmjob = SELECT, INSERT, UPDATE
1197-public.packagebuild = SELECT, INSERT, UPDATE
1198-public.binarypackagebuild = SELECT, INSERT, UPDATE
1199 public.builder = SELECT, INSERT, UPDATE
1200+public.buildfarmjob = SELECT, INSERT, UPDATE
1201+public.buildpackagejob = SELECT, INSERT, UPDATE, DELETE
1202 public.buildqueue = SELECT, INSERT, UPDATE, DELETE
1203-public.job = SELECT, INSERT, UPDATE, DELETE
1204-public.buildpackagejob = SELECT, INSERT, UPDATE, DELETE
1205 public.component = SELECT, INSERT, UPDATE
1206 public.componentselection = SELECT, INSERT, UPDATE
1207 public.country = SELECT, INSERT, UPDATE
1208 public.distribution = SELECT, INSERT, UPDATE
1209 public.distroarchseries = SELECT, INSERT, UPDATE
1210+public.distrocomponentuploader = SELECT, INSERT, UPDATE
1211 public.distroseries = SELECT, INSERT, UPDATE
1212-public.openidrpsummary = SELECT, INSERT, UPDATE
1213-public.packageupload = SELECT, INSERT, UPDATE
1214-public.packageuploadbuild = SELECT, INSERT, UPDATE
1215-public.packageuploadsource = SELECT, INSERT, UPDATE
1216-public.packageuploadcustom = SELECT, INSERT, UPDATE
1217-public.distrocomponentuploader = SELECT, INSERT, UPDATE
1218 public.emailaddress = SELECT, INSERT, UPDATE
1219+public.gpgkey = SELECT, INSERT, UPDATE, DELETE
1220 public.ircid = SELECT, INSERT, UPDATE, DELETE
1221 public.jabberid = SELECT, INSERT, UPDATE, DELETE
1222+public.job = SELECT, INSERT, UPDATE, DELETE
1223 public.karma = SELECT, INSERT, UPDATE
1224 public.karmaaction = SELECT, INSERT, UPDATE
1225 public.language = SELECT, INSERT, UPDATE
1226@@ -1140,18 +1087,22 @@
1227 public.libraryfilealias = SELECT, INSERT
1228 public.libraryfilecontent = SELECT, INSERT
1229 public.logintoken = SELECT, INSERT, UPDATE
1230+public.message = SELECT, INSERT, UPDATE
1231+public.milestone = SELECT, INSERT, UPDATE
1232 public.mirror = SELECT, INSERT, UPDATE, DELETE
1233 public.mirrorcontent = SELECT, INSERT, UPDATE, DELETE
1234 public.mirrorsourcecontent = SELECT, INSERT, UPDATE, DELETE
1235-public.teammembership = SELECT, INSERT, UPDATE, DELETE
1236-public.message = SELECT, INSERT, UPDATE
1237-public.milestone = SELECT, INSERT, UPDATE
1238-public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE, DELETE
1239+public.openidrpsummary = SELECT, INSERT, UPDATE
1240+public.packagebuild = SELECT, INSERT, UPDATE
1241 public.packageselection = SELECT, INSERT, UPDATE
1242+public.packageupload = SELECT, INSERT, UPDATE
1243+public.packageuploadbuild = SELECT, INSERT, UPDATE
1244+public.packageuploadcustom = SELECT, INSERT, UPDATE
1245+public.packageuploadsource = SELECT, INSERT, UPDATE
1246 public.packaging = SELECT, INSERT, UPDATE
1247 public.person = SELECT, INSERT, UPDATE
1248-public.personsettings = SELECT, INSERT, UPDATE
1249 public.personlanguage = SELECT, INSERT, UPDATE
1250+public.personsettings = SELECT, INSERT, UPDATE
1251 public.pocketchroot = SELECT, INSERT, UPDATE
1252 public.pocomment = SELECT, INSERT, UPDATE
1253 public.pofile = SELECT, INSERT, UPDATE
1254@@ -1164,8 +1115,8 @@
1255 public.processor = SELECT, INSERT, UPDATE
1256 public.processorfamily = SELECT, INSERT, UPDATE
1257 public.product = SELECT, INSERT, UPDATE
1258+public.productcvsmodule = SELECT, INSERT, UPDATE
1259 public.productlicense = SELECT, INSERT, UPDATE, DELETE
1260-public.productcvsmodule = SELECT, INSERT, UPDATE
1261 public.productrelease = SELECT, INSERT, UPDATE
1262 public.productreleasefile = SELECT, INSERT, UPDATE
1263 public.productseries = SELECT, INSERT, UPDATE
1264@@ -1183,15 +1134,15 @@
1265 public.sourcepackagerelease = SELECT, INSERT, UPDATE
1266 public.sourcepackagereleasefile = SELECT, INSERT, UPDATE
1267 public.spokenin = SELECT, INSERT, UPDATE
1268-public.gpgkey = SELECT, INSERT, UPDATE, DELETE
1269 public.sshkey = SELECT, INSERT, UPDATE, DELETE
1270+public.teammembership = SELECT, INSERT, UPDATE, DELETE
1271 public.teamparticipation = SELECT, INSERT, UPDATE, DELETE
1272 public.translationimportqueueentry = SELECT, INSERT, UPDATE, DELETE
1273 public.translationtemplateitem = SELECT, INSERT, UPDATE, DELETE
1274 public.wikiname = SELECT, INSERT, UPDATE, DELETE
1275+type=group
1276
1277 [shipit]
1278-type=user
1279 groups=script
1280 public.account = SELECT
1281 public.continent = SELECT
1282@@ -1209,10 +1160,9 @@
1283 public.standardshipitrequest = SELECT
1284 public.validpersoncache = SELECT
1285 public.validpersonorteamcache = SELECT
1286+type=user
1287
1288 [standingupdater]
1289-# For the personal standing updater cron script.
1290-type=user
1291 groups=script
1292 public.emailaddress = SELECT
1293 public.mailinglist = SELECT
1294@@ -1220,10 +1170,9 @@
1295 public.messageapproval = SELECT
1296 public.person = SELECT, UPDATE
1297 public.teamparticipation = SELECT
1298+type=user
1299
1300 [answertracker]
1301-# User running expire-questions.py
1302-type=user
1303 groups=script
1304 public.account = SELECT, INSERT
1305 public.accountpassword = SELECT, INSERT
1306@@ -1232,8 +1181,8 @@
1307 public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1308 public.bugtask = SELECT
1309 public.distribution = SELECT
1310+public.emailaddress = SELECT
1311 public.faq = SELECT
1312-public.emailaddress = SELECT
1313 public.job = SELECT, UPDATE
1314 public.language = SELECT
1315 public.message = SELECT, INSERT
1316@@ -1250,339 +1199,299 @@
1317 public.teammembership = SELECT
1318 public.validpersoncache = SELECT
1319 public.validpersonorteamcache = SELECT
1320+type=user
1321
1322 [uploader]
1323-type=user
1324 groups=script,uploading
1325+type=user
1326
1327 [uploading]
1328-type=group
1329-# Everything is keyed off an archive
1330+public.account = SELECT, INSERT
1331+public.accountpassword = SELECT, INSERT
1332+public.answercontact = SELECT
1333 public.archive = SELECT, INSERT, UPDATE
1334 public.archivearch = SELECT, INSERT, UPDATE
1335-public.packageset = SELECT
1336-public.packagesetgroup = SELECT
1337-public.packagesetsources = SELECT
1338-public.packagesetinclusion = SELECT
1339-public.flatpackagesetinclusion = SELECT
1340-
1341-# This block is granted insert in order to be able to create maintainers
1342-# on the fly when we encounter them.
1343-public.account = SELECT, INSERT
1344-public.accountpassword = SELECT, INSERT
1345-public.person = SELECT, INSERT, UPDATE
1346-public.personsettings = SELECT, INSERT
1347-public.emailaddress = SELECT, INSERT, UPDATE
1348-public.teamparticipation = SELECT, INSERT
1349-public.teammembership = SELECT
1350-public.wikiname = SELECT, INSERT
1351-public.validpersoncache = SELECT
1352-public.validpersonorteamcache = SELECT
1353-
1354-# I didn't want to give it INSERT and if someone can fix the gpg-coc story
1355-# So that it works with my key in place then nascentupload.txt won't have
1356-# to insert it.
1357-public.gpgkey = SELECT, INSERT
1358-public.signedcodeofconduct = SELECT
1359-public.distribution = SELECT, UPDATE
1360-public.distributionjob = SELECT, INSERT
1361-public.distroseries = SELECT, UPDATE
1362-public.distroarchseries = SELECT
1363-public.sourcepackagepublishinghistory = SELECT, INSERT
1364-public.distributionsourcepackage = SELECT, INSERT, UPDATE
1365-public.sourcepackagefilepublishing = SELECT
1366+public.archivepermission = SELECT
1367+public.binarypackagebuild = SELECT, INSERT, UPDATE
1368+public.binarypackagefile = SELECT, INSERT
1369 public.binarypackagefilepublishing = SELECT
1370-public.binarypackagepublishinghistory = SELECT
1371-public.component = SELECT, INSERT
1372-public.section = SELECT, INSERT
1373-public.componentselection = SELECT
1374-public.sectionselection = SELECT
1375-public.distrocomponentuploader = SELECT
1376-public.archivepermission = SELECT
1377-public.processor = SELECT
1378-public.processorfamily = SELECT
1379-public.sourcepackageformatselection = SELECT
1380-
1381-# Source and Binary packages and builds
1382-public.sourcepackagename = SELECT, INSERT
1383-public.sourcepackagerelease = SELECT, INSERT, UPDATE
1384 public.binarypackagename = SELECT, INSERT
1385+public.binarypackagepublishinghistory = SELECT
1386 public.binarypackagerelease = SELECT, INSERT
1387-public.sourcepackagereleasefile = SELECT, INSERT
1388-public.binarypackagefile = SELECT, INSERT
1389-public.pocketchroot = SELECT
1390-public.buildfarmjob = SELECT, INSERT, UPDATE
1391-public.packagebuild = SELECT, INSERT, UPDATE
1392-public.binarypackagebuild = SELECT, INSERT, UPDATE
1393-public.sourcepackagerecipebuild = SELECT, UPDATE
1394-public.sourcepackagerecipebuildjob = SELECT, UPDATE
1395-public.sourcepackagerecipe = SELECT, UPDATE
1396-public.buildqueue = SELECT, INSERT, UPDATE
1397+public.bug = SELECT, UPDATE
1398+public.bugactivity = SELECT, INSERT
1399+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1400+public.bugcve = SELECT, INSERT
1401+public.bugjob = SELECT, INSERT
1402+public.bugmessage = SELECT, INSERT
1403+public.bugnomination = SELECT
1404+public.bugnotification = SELECT, INSERT
1405+public.bugnotificationfilter = SELECT, INSERT
1406+public.bugnotificationrecipient = SELECT, INSERT
1407+public.bugsubscription = SELECT
1408+public.bugsubscriptionfilter = SELECT
1409+public.bugsubscriptionfilterimportance = SELECT
1410+public.bugsubscriptionfilterstatus = SELECT
1411+public.bugsubscriptionfiltertag = SELECT
1412+public.bugtag = SELECT
1413+public.bugtask = SELECT, UPDATE
1414+public.bugtracker = SELECT, INSERT
1415+public.bugtrackeralias = SELECT, INSERT
1416+public.bugwatch = SELECT, INSERT
1417 public.builder = SELECT
1418+public.buildfarmjob = SELECT, INSERT, UPDATE
1419+public.buildpackagejob = SELECT, INSERT, UPDATE
1420+public.buildqueue = SELECT, INSERT, UPDATE
1421+public.component = SELECT, INSERT
1422+public.componentselection = SELECT
1423+public.cve = SELECT, INSERT
1424+public.distribution = SELECT, UPDATE
1425+public.distributionjob = SELECT, INSERT
1426+public.distributionsourcepackage = SELECT, INSERT, UPDATE
1427+public.distroarchseries = SELECT
1428+public.distrocomponentuploader = SELECT
1429+public.distroseries = SELECT, UPDATE
1430+public.emailaddress = SELECT, INSERT, UPDATE
1431+public.flatpackagesetinclusion = SELECT
1432+public.gpgkey = SELECT, INSERT
1433 public.job = SELECT, INSERT, UPDATE
1434-public.buildpackagejob = SELECT, INSERT, UPDATE
1435-
1436-# Thusly the librarian
1437+public.karma = SELECT, INSERT
1438+public.karmaaction = SELECT
1439+public.language = SELECT
1440+public.libraryfilealias = SELECT, INSERT
1441 public.libraryfilecontent = SELECT, INSERT
1442-public.libraryfilealias = SELECT, INSERT
1443-
1444-# The queue
1445+public.message = SELECT, INSERT
1446+public.messagechunk = SELECT, INSERT
1447+public.milestone = SELECT
1448+public.packagebugsupervisor = SELECT
1449+public.packagebuild = SELECT, INSERT, UPDATE
1450+public.packagediff = SELECT, INSERT, UPDATE, DELETE
1451+public.packageset = SELECT
1452+public.packagesetgroup = SELECT
1453+public.packagesetinclusion = SELECT
1454+public.packagesetsources = SELECT
1455 public.packageupload = SELECT, INSERT, UPDATE
1456-public.packageuploadsource = SELECT, INSERT
1457 public.packageuploadbuild = SELECT, INSERT
1458 public.packageuploadcustom = SELECT, INSERT
1459-
1460-# Closing bugs for premature source-only publication
1461-public.bug = SELECT, UPDATE
1462-public.bugactivity = SELECT, INSERT
1463-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1464-public.bugjob = SELECT, INSERT
1465-public.bugsubscription = SELECT
1466-public.bugsubscriptionfilter = SELECT
1467-public.bugsubscriptionfilterstatus = SELECT
1468-public.bugsubscriptionfilterimportance = SELECT
1469-public.bugsubscriptionfiltertag = SELECT
1470-public.bugnotification = SELECT, INSERT
1471-public.bugnotificationfilter = SELECT, INSERT
1472-public.bugnotificationrecipient = SELECT, INSERT
1473-public.bugnomination = SELECT
1474-public.bugtag = SELECT
1475-public.bugtask = SELECT, UPDATE
1476+public.packageuploadsource = SELECT, INSERT
1477+public.person = SELECT, INSERT, UPDATE
1478+public.personlanguage = SELECT
1479+public.personsettings = SELECT, INSERT
1480+public.pocketchroot = SELECT
1481+public.processor = SELECT
1482+public.processorfamily = SELECT
1483 public.product = SELECT, UPDATE
1484+public.productseries = SELECT
1485 public.project = SELECT, UPDATE
1486-public.bugmessage = SELECT, INSERT
1487-public.message = SELECT, INSERT
1488-public.messagechunk = SELECT, INSERT
1489-public.productseries = SELECT
1490-public.karmaaction = SELECT
1491-public.karma = SELECT, INSERT
1492+public.question = SELECT
1493 public.questionbug = SELECT
1494-public.question = SELECT
1495-public.packagebugsupervisor = SELECT
1496-public.milestone = SELECT
1497-public.bugwatch = SELECT, INSERT
1498-public.bugtracker = SELECT, INSERT
1499-public.bugtrackeralias = SELECT, INSERT
1500-public.cve = SELECT, INSERT
1501-public.bugcve = SELECT, INSERT
1502-public.language = SELECT
1503 public.questionsubscription = SELECT
1504-public.answercontact = SELECT
1505-public.personlanguage = SELECT
1506+public.section = SELECT, INSERT
1507+public.sectionselection = SELECT
1508+public.signedcodeofconduct = SELECT
1509+public.sourcepackagefilepublishing = SELECT
1510+public.sourcepackageformatselection = SELECT
1511+public.sourcepackagename = SELECT, INSERT
1512+public.sourcepackagepublishinghistory = SELECT, INSERT
1513+public.sourcepackagerecipe = SELECT, UPDATE
1514+public.sourcepackagerecipebuild = SELECT, UPDATE
1515+public.sourcepackagerecipebuildjob = SELECT, UPDATE
1516+public.sourcepackagerelease = SELECT, INSERT, UPDATE
1517+public.sourcepackagereleasefile = SELECT, INSERT
1518 public.structuralsubscription = SELECT
1519-
1520-# Diffing against ancestry and maintenance tasks.
1521-public.packagediff = SELECT, INSERT, UPDATE, DELETE
1522+public.teammembership = SELECT
1523+public.teamparticipation = SELECT, INSERT
1524+public.validpersoncache = SELECT
1525+public.validpersonorteamcache = SELECT
1526+public.wikiname = SELECT, INSERT
1527+type=group
1528
1529 [queued]
1530-type=user
1531 groups=script
1532-# Announce handling
1533 public.account = SELECT, INSERT
1534+public.answercontact = SELECT
1535+public.archive = SELECT, UPDATE
1536+public.archivearch = SELECT, UPDATE
1537+public.archivepermission = SELECT
1538+public.binarypackagebuild = SELECT, INSERT, UPDATE
1539+public.binarypackagefile = SELECT, UPDATE
1540+public.binarypackagefilepublishing = SELECT
1541+public.binarypackagename = SELECT
1542+public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE
1543+public.binarypackagerelease = SELECT, UPDATE
1544+public.bug = SELECT, UPDATE
1545+public.bugactivity = SELECT, INSERT
1546+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1547+public.bugcve = SELECT, INSERT
1548+public.bugjob = SELECT, INSERT
1549+public.bugmessage = SELECT, INSERT
1550+public.bugnomination = SELECT
1551+public.bugnotification = SELECT, INSERT
1552+public.bugnotificationfilter = SELECT, INSERT
1553+public.bugnotificationrecipient = SELECT, INSERT
1554+public.bugsubscription = SELECT
1555+public.bugsubscriptionfilter = SELECT
1556+public.bugsubscriptionfilterimportance = SELECT
1557+public.bugsubscriptionfilterstatus = SELECT
1558+public.bugsubscriptionfiltertag = SELECT
1559+public.bugtag = SELECT
1560+public.bugtask = SELECT, UPDATE
1561+public.bugtracker = SELECT, INSERT
1562+public.bugtrackeralias = SELECT, INSERT
1563+public.bugwatch = SELECT, INSERT
1564+public.buildfarmjob = SELECT, INSERT, UPDATE
1565+public.buildpackagejob = SELECT, INSERT, UPDATE
1566+public.buildqueue = SELECT, INSERT, UPDATE
1567+public.component = SELECT
1568+public.componentselection = SELECT
1569+public.cve = SELECT, INSERT
1570+public.distribution = SELECT, UPDATE
1571 public.distributionjob = SELECT, INSERT
1572-public.person = SELECT, INSERT
1573-public.personsettings = SELECT, INSERT
1574+public.distributionsourcepackage = SELECT, INSERT, UPDATE
1575+public.distroarchseries = SELECT
1576+public.distrocomponentuploader = SELECT
1577+public.distroseries = SELECT
1578 public.emailaddress = SELECT, INSERT, UPDATE
1579-public.teamparticipation = SELECT, INSERT
1580-public.teammembership = SELECT
1581+public.flatpackagesetinclusion = SELECT
1582 public.gpgkey = SELECT
1583-
1584-# The Queue
1585+public.job = SELECT, INSERT, UPDATE
1586+public.karma = SELECT, INSERT
1587+public.karmaaction = SELECT
1588+public.language = SELECT
1589+public.libraryfilealias = SELECT, INSERT
1590+public.libraryfilecontent = SELECT, INSERT
1591+public.message = SELECT, INSERT
1592+public.messagechunk = SELECT, INSERT
1593+public.milestone = SELECT
1594+public.packagebugsupervisor = SELECT
1595+public.packagebuild = SELECT, INSERT, UPDATE
1596+public.packagediff = SELECT, UPDATE
1597+public.packageset = SELECT
1598+public.packagesetgroup = SELECT
1599+public.packagesetinclusion = SELECT
1600+public.packagesetsources = SELECT
1601 public.packageupload = SELECT, UPDATE
1602-public.packageuploadsource = SELECT
1603 public.packageuploadbuild = SELECT
1604 public.packageuploadcustom = SELECT, UPDATE
1605-
1606-# Distribution/Publishing stuff
1607-public.archive = SELECT, UPDATE
1608-public.archivearch = SELECT, UPDATE
1609-public.archivepermission = SELECT
1610-public.distribution = SELECT, UPDATE
1611-public.distroseries = SELECT
1612-public.distroarchseries = SELECT
1613+public.packageuploadsource = SELECT
1614+public.packaging = SELECT
1615+public.person = SELECT, INSERT
1616+public.personlanguage = SELECT
1617+public.personsettings = SELECT, INSERT
1618+public.pocketchroot = SELECT
1619+public.pofile = SELECT
1620+public.potemplate = SELECT
1621 public.processor = SELECT
1622 public.processorfamily = SELECT
1623-public.distrocomponentuploader = SELECT
1624-public.buildfarmjob = SELECT, INSERT, UPDATE
1625-public.packagebuild = SELECT, INSERT, UPDATE
1626-public.binarypackagebuild = SELECT, INSERT, UPDATE
1627-public.buildqueue = SELECT, INSERT, UPDATE
1628-public.job = SELECT, INSERT, UPDATE
1629-public.buildpackagejob = SELECT, INSERT, UPDATE
1630-public.pocketchroot = SELECT
1631+public.product = SELECT, UPDATE
1632+public.productseries = SELECT
1633+public.project = SELECT, UPDATE
1634+public.publisherconfig = SELECT
1635+public.question = SELECT
1636+public.questionbug = SELECT
1637+public.questionsubscription = SELECT
1638+public.section = SELECT
1639+public.sectionselection = SELECT
1640+public.sourcepackagefilepublishing = SELECT
1641+public.sourcepackagename = SELECT
1642+public.sourcepackagepublishinghistory = SELECT, INSERT, UPDATE
1643+public.sourcepackagerecipebuild = SELECT
1644+public.sourcepackagerecipebuildjob = SELECT, INSERT, UPDATE
1645 public.sourcepackagerelease = SELECT, UPDATE
1646-public.binarypackagerelease = SELECT, UPDATE
1647 public.sourcepackagereleasefile = SELECT, UPDATE
1648-public.binarypackagefile = SELECT, UPDATE
1649-public.sourcepackagename = SELECT
1650-public.binarypackagename = SELECT
1651-public.sourcepackagefilepublishing = SELECT
1652-public.binarypackagefilepublishing = SELECT
1653-public.sourcepackagepublishinghistory = SELECT, INSERT, UPDATE
1654-public.distributionsourcepackage = SELECT, INSERT, UPDATE
1655-public.binarypackagepublishinghistory = SELECT, INSERT, UPDATE
1656-public.sourcepackagerecipebuild = SELECT
1657-public.sourcepackagerecipebuildjob = SELECT, INSERT, UPDATE
1658-public.component = SELECT
1659-public.componentselection = SELECT
1660-public.sectionselection = SELECT
1661-public.packagediff = SELECT, UPDATE
1662-public.publisherconfig = SELECT
1663-
1664-# Librarian stuff
1665-public.libraryfilealias = SELECT, INSERT
1666-public.libraryfilecontent = SELECT, INSERT
1667-
1668-# rosetta auto imports
1669-public.packaging = SELECT
1670-public.pofile = SELECT
1671-public.potemplate = SELECT
1672+public.structuralsubscription = SELECT
1673+public.teammembership = SELECT
1674+public.teamparticipation = SELECT, INSERT
1675 public.translationgroup = SELECT
1676 public.translationimportqueueentry = SELECT, INSERT, UPDATE
1677-
1678-# Closing bugs.
1679-public.bug = SELECT, UPDATE
1680-public.bugactivity = SELECT, INSERT
1681-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1682-public.bugjob = SELECT, INSERT
1683-public.bugsubscription = SELECT
1684-public.bugsubscriptionfilter = SELECT
1685-public.bugsubscriptionfilterstatus = SELECT
1686-public.bugsubscriptionfilterimportance = SELECT
1687-public.bugsubscriptionfiltertag = SELECT
1688-public.bugnotification = SELECT, INSERT
1689-public.bugnotificationfilter = SELECT, INSERT
1690-public.bugnotificationrecipient = SELECT, INSERT
1691-public.bugnomination = SELECT
1692-public.bugtag = SELECT
1693-public.bugtask = SELECT, UPDATE
1694-public.product = SELECT, UPDATE
1695-public.project = SELECT, UPDATE
1696-public.bugmessage = SELECT, INSERT
1697-public.message = SELECT, INSERT
1698-public.messagechunk = SELECT, INSERT
1699-public.productseries = SELECT
1700 public.validpersoncache = SELECT
1701 public.validpersonorteamcache = SELECT
1702-public.karmaaction = SELECT
1703-public.karma = SELECT, INSERT
1704-public.questionbug = SELECT
1705-public.question = SELECT
1706-public.packagebugsupervisor = SELECT
1707-public.milestone = SELECT
1708-public.bugwatch = SELECT, INSERT
1709-public.bugtracker = SELECT, INSERT
1710-public.bugtrackeralias = SELECT, INSERT
1711-public.cve = SELECT, INSERT
1712-public.bugcve = SELECT, INSERT
1713-public.language = SELECT
1714-public.questionsubscription = SELECT
1715-public.answercontact = SELECT
1716-public.personlanguage = SELECT
1717-public.section = SELECT
1718-public.structuralsubscription = SELECT
1719-public.packageset = SELECT
1720-public.packagesetgroup = SELECT
1721-public.packagesetsources = SELECT
1722-public.packagesetinclusion = SELECT
1723-public.flatpackagesetinclusion = SELECT
1724-
1725+type=user
1726
1727 [ppad]
1728-type=user
1729 groups=script
1730 public.archive = SELECT
1731 public.archivearch = SELECT
1732 public.person = SELECT
1733+type=user
1734
1735 [session]
1736-# This user doesn't have access to any tables in the main launchpad
1737-# database - it has permissions on the seperate session database only,
1738-# which are not maintained by this script. User is just here so it gets
1739-# created if necessary.
1740 type=user
1741
1742 [bugnotification]
1743-# Sends bug notifications.
1744-# XXX: BjornT 2006-03-31:
1745-# All the INSERT permissions, and the UPDATE permission for the bug
1746-# table are necessary only because the test that test
1747-# send-bug-notifications.py needs them. They should be removed
1748-# when bug 37456 is fixed.
1749-type=user
1750 groups=script
1751 public.account = SELECT
1752 public.answercontact = SELECT
1753 public.archive = SELECT
1754 public.archivearch = SELECT
1755+public.bug = SELECT, INSERT, UPDATE
1756+public.bugactivity = SELECT, INSERT
1757+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1758 public.bugattachment = SELECT
1759+public.bugjob = SELECT, INSERT
1760+public.bugmessage = SELECT, INSERT
1761+public.bugnomination = SELECT
1762 public.bugnotification = SELECT, INSERT, UPDATE
1763 public.bugnotificationfilter = SELECT, INSERT
1764 public.bugnotificationrecipient = SELECT, INSERT, UPDATE
1765 public.bugsubscription = SELECT, INSERT
1766 public.bugsubscriptionfilter = SELECT, INSERT
1767+public.bugsubscriptionfilterimportance = SELECT, INSERT
1768 public.bugsubscriptionfiltermute = SELECT, INSERT
1769 public.bugsubscriptionfilterstatus = SELECT, INSERT
1770-public.bugsubscriptionfilterimportance = SELECT, INSERT
1771 public.bugsubscriptionfiltertag = SELECT, INSERT
1772-public.bugnomination = SELECT
1773-public.bug = SELECT, INSERT, UPDATE
1774-public.bugactivity = SELECT, INSERT
1775-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1776-public.bugjob = SELECT, INSERT
1777-public.bugmessage = SELECT, INSERT
1778 public.bugtag = SELECT
1779 public.bugtask = SELECT, INSERT, UPDATE
1780 public.bugwatch = SELECT
1781+public.component = SELECT
1782 public.distribution = SELECT, UPDATE
1783+public.distributionsourcepackage = SELECT, INSERT, UPDATE
1784+public.distroseries = SELECT
1785+public.emailaddress = SELECT
1786 public.job = SELECT, INSERT, UPDATE
1787-public.component = SELECT
1788+public.language = SELECT
1789+public.libraryfilealias = SELECT
1790+public.libraryfilecontent = SELECT
1791+public.message = SELECT, INSERT
1792+public.messagechunk = SELECT, INSERT
1793+public.milestone = SELECT
1794 public.packagebugsupervisor = SELECT
1795 public.person = SELECT
1796+public.personlanguage = SELECT
1797 public.personsettings = SELECT
1798-public.personlanguage = SELECT
1799 public.product = SELECT, UPDATE
1800+public.productseries = SELECT
1801 public.project = SELECT, UPDATE
1802-public.productseries = SELECT
1803 public.question = SELECT
1804 public.questionbug = SELECT
1805 public.questionsubscription = SELECT
1806-public.distributionsourcepackage = SELECT, INSERT, UPDATE
1807-public.distroseries = SELECT
1808 public.section = SELECT
1809 public.sourcepackagename = SELECT
1810+public.sourcepackagepublishinghistory = SELECT
1811 public.sourcepackagerelease = SELECT
1812-public.sourcepackagepublishinghistory = SELECT
1813-public.emailaddress = SELECT
1814-public.libraryfilealias = SELECT
1815-public.libraryfilecontent = SELECT
1816-public.message = SELECT, INSERT
1817-public.messagechunk = SELECT, INSERT
1818-public.milestone = SELECT
1819 public.structuralsubscription = SELECT
1820 public.teammembership = SELECT
1821 public.teamparticipation = SELECT
1822 public.validpersoncache = SELECT
1823 public.validpersonorteamcache = SELECT
1824-public.language = SELECT
1825+type=user
1826
1827 [personnotification]
1828-type=user
1829 groups=script
1830+public.emailaddress = SELECT
1831+public.libraryfilealias = SELECT
1832+public.libraryfilecontent = SELECT
1833+public.message = SELECT
1834+public.messagechunk = SELECT
1835+public.person = SELECT
1836 public.personnotification = SELECT, UPDATE, DELETE
1837-public.person = SELECT
1838-public.emailaddress = SELECT
1839-public.libraryfilealias = SELECT
1840-public.libraryfilecontent = SELECT
1841-public.message = SELECT
1842-public.messagechunk = SELECT
1843 public.teammembership = SELECT
1844 public.teamparticipation = SELECT
1845 public.validpersoncache = SELECT
1846 public.validpersonorteamcache = SELECT
1847+type=user
1848
1849 [rosettaadmin]
1850-type=user
1851 groups=script
1852 public.customlanguagecode = SELECT, INSERT, UPDATE, DELETE
1853 public.distribution = SELECT
1854@@ -1611,12 +1520,11 @@
1855 public.translationmessage = SELECT, INSERT, UPDATE, DELETE
1856 public.translationrelicensingagreement = SELECT
1857 public.translationtemplateitem = SELECT, INSERT, UPDATE, DELETE
1858+public.translator = SELECT
1859 public.validpersoncache = SELECT
1860-public.translator = SELECT
1861+type=user
1862
1863-# Any script that approves translation uploads.
1864 [translations_approval]
1865-type=group
1866 public.customlanguagecode = SELECT
1867 public.distribution = SELECT
1868 public.distroseries = SELECT
1869@@ -1638,14 +1546,14 @@
1870 public.translationrelicensingagreement = SELECT
1871 public.translationtemplateitem = SELECT
1872 public.translator = SELECT
1873+type=group
1874
1875 [translationsbranchscanner]
1876-type=user
1877 groups=branchscanner,translations_approval
1878 public.translationtemplatesbuild = SELECT, INSERT
1879+type=user
1880
1881 [translationstobranch]
1882-type=user
1883 groups=script
1884 public.account = SELECT
1885 public.branch = SELECT, UPDATE
1886@@ -1666,166 +1574,124 @@
1887 public.teammembership = SELECT
1888 public.translationmessage = SELECT
1889 public.translationtemplateitem = SELECT
1890+type=user
1891
1892 [oopsprune]
1893-type=user
1894 groups=script
1895 public.bug = SELECT
1896 public.bugtask = SELECT
1897 public.message = SELECT
1898 public.messagechunk = SELECT
1899 public.question = SELECT
1900+type=user
1901
1902 [listteammembers]
1903-type=user
1904 public.emailaddress = SELECT
1905 public.person = SELECT
1906 public.signedcodeofconduct = SELECT
1907 public.sshkey = SELECT
1908 public.teamparticipation = SELECT
1909-
1910-# This group is now created automatically
1911-# Readonly access to everything
1912-#[read]
1913-#type=group
1914-
1915-# This group is now created automatically
1916-# Full access to everything.
1917-# [admin]
1918-# type=group
1919+type=user
1920
1921 [processmail]
1922-type=user
1923 groups=script
1924-
1925-# Incoming emails are stored in the librarian
1926-public.libraryfilealias = SELECT, INSERT
1927-public.libraryfilecontent = SELECT, INSERT
1928-
1929-# Access to people
1930 public.account = SELECT, INSERT
1931 public.accountpassword = SELECT, INSERT
1932-public.emailaddress = SELECT
1933-public.gpgkey = SELECT
1934-public.language = SELECT
1935-public.person = SELECT, UPDATE
1936-public.personlanguage = SELECT
1937-public.personsettings = SELECT
1938-public.teammembership = SELECT
1939-public.teamparticipation = SELECT
1940-public.validpersoncache = SELECT
1941-public.validpersonorteamcache = SELECT
1942-
1943-# Access to BugTargets, QuestionTarget and SpecTarget
1944+public.answercontact = SELECT
1945 public.archive = SELECT
1946 public.archivearch = SELECT
1947-public.component = SELECT
1948-public.distribution = SELECT, UPDATE
1949-public.distributionsourcepackage = SELECT, INSERT, UPDATE
1950-public.distrocomponentuploader = SELECT
1951 public.archivepermission = SELECT
1952-public.distroseries = SELECT
1953-public.project = SELECT, UPDATE
1954-public.product = SELECT, UPDATE
1955-public.productseries = SELECT
1956-public.packagebugsupervisor = SELECT
1957-public.sourcepackagename = SELECT
1958-public.sourcepackagerelease = SELECT
1959-public.sourcepackagepublishinghistory = SELECT
1960-public.structuralsubscription = SELECT
1961-public.section = SELECT
1962-
1963-# Karma
1964-public.karma = SELECT, INSERT
1965-public.karmaaction = SELECT
1966-
1967-# Creation of messages (bug & question comments)
1968-public.message = SELECT, INSERT
1969-public.messagechunk = SELECT, INSERT
1970-
1971-# Bug update
1972+public.binarypackagebuild = SELECT
1973+public.binarypackagename = SELECT
1974+public.binarypackagepublishinghistory = SELECT
1975+public.binarypackagerelease = SELECT
1976+public.branch = SELECT, INSERT, UPDATE
1977+public.branchmergeproposal = SELECT, INSERT, UPDATE
1978+public.branchmergeproposaljob = SELECT, INSERT
1979+public.branchsubscription = SELECT, INSERT
1980+public.branchvisibilitypolicy = SELECT
1981 public.bug = SELECT, INSERT, UPDATE
1982 public.bugactivity = SELECT, INSERT
1983 public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
1984+public.bugattachment = SELECT, INSERT
1985+public.bugbranch = SELECT
1986+public.bugcve = SELECT, INSERT
1987 public.bugjob = SELECT, INSERT
1988-public.bugsubscription = SELECT, INSERT
1989-public.bugsubscriptionfilter = SELECT, INSERT, UPDATE, DELETE
1990-public.bugsubscriptionfilterstatus = SELECT, INSERT, UPDATE, DELETE
1991-public.bugsubscriptionfilterimportance = SELECT, INSERT, UPDATE, DELETE
1992-public.bugsubscriptionfiltertag = SELECT, INSERT, UPDATE, DELETE
1993+public.bugmessage = SELECT, INSERT
1994+public.bugnomination = SELECT, INSERT, UPDATE
1995 public.bugnotification = SELECT, INSERT
1996-public.bugnotificationfilter = SELECT, INSERT
1997 public.bugnotificationattachment = SELECT
1998+public.bugnotificationfilter = SELECT, INSERT
1999 public.bugnotificationrecipient = SELECT, INSERT
2000-public.bugnomination = SELECT, INSERT, UPDATE
2001+public.bugsubscription = SELECT, INSERT, UPDATE, DELETE
2002+public.bugsubscriptionfilter = SELECT, INSERT, UPDATE, DELETE
2003+public.bugsubscriptionfilterimportance = SELECT, INSERT, UPDATE, DELETE
2004+public.bugsubscriptionfilterstatus = SELECT, INSERT, UPDATE, DELETE
2005+public.bugsubscriptionfiltertag = SELECT, INSERT, UPDATE, DELETE
2006 public.bugtag = SELECT, INSERT, DELETE
2007 public.bugtask = SELECT, INSERT, UPDATE
2008-public.bugmessage = SELECT, INSERT
2009-public.bugsubscription = SELECT, INSERT, UPDATE, DELETE
2010 public.bugtracker = SELECT, INSERT
2011 public.bugtrackeralias = SELECT, INSERT
2012 public.bugwatch = SELECT, INSERT
2013-public.milestone = SELECT
2014-
2015-# Creating a new bugtask - checking for duplicates
2016-public.binarypackagebuild = SELECT
2017-public.binarypackagename = SELECT
2018-public.binarypackagepublishinghistory = SELECT
2019-public.binarypackagerelease = SELECT
2020-public.distroarchseries = SELECT
2021-
2022-# CVE updates
2023-public.cve = SELECT, INSERT
2024-public.bugcve = SELECT, INSERT
2025-
2026-# Adding comment to question
2027-public.faq = SELECT
2028-public.question = SELECT, UPDATE
2029-public.questionmessage = SELECT, INSERT
2030-public.questionbug = SELECT
2031-
2032-# Question notifications
2033-public.answercontact = SELECT
2034-public.questionsubscription = SELECT
2035-
2036-# Specification notifications
2037-public.specification = SELECT
2038-public.specificationsubscription = SELECT
2039-
2040-# Emails may have files attached.
2041-public.bugattachment = SELECT, INSERT
2042-
2043-# Emails for code reviews.
2044-public.branch = SELECT, INSERT, UPDATE
2045-public.branchmergeproposal = SELECT, INSERT, UPDATE
2046-public.branchmergeproposaljob = SELECT, INSERT
2047-public.branchsubscription = SELECT, INSERT
2048-public.branchvisibilitypolicy = SELECT
2049-public.bugbranch = SELECT
2050 public.codeimport = SELECT
2051 public.codereviewmessage = SELECT, INSERT
2052 public.codereviewvote = SELECT, INSERT, UPDATE
2053+public.component = SELECT
2054+public.cve = SELECT, INSERT
2055 public.diff = SELECT, INSERT, UPDATE
2056+public.distribution = SELECT, UPDATE
2057+public.distributionsourcepackage = SELECT, INSERT, UPDATE
2058+public.distroarchseries = SELECT
2059+public.distrocomponentuploader = SELECT
2060 public.distroseries = SELECT
2061+public.emailaddress = SELECT
2062+public.faq = SELECT
2063+public.gpgkey = SELECT
2064 public.job = SELECT, INSERT, UPDATE
2065+public.karma = SELECT, INSERT
2066+public.karmaaction = SELECT
2067+public.language = SELECT
2068+public.libraryfilealias = SELECT, INSERT
2069+public.libraryfilecontent = SELECT, INSERT
2070 public.mergedirectivejob = SELECT, INSERT
2071+public.message = SELECT, INSERT
2072+public.messagechunk = SELECT, INSERT
2073+public.milestone = SELECT
2074+public.packagebugsupervisor = SELECT
2075+public.person = SELECT, UPDATE
2076+public.personlanguage = SELECT
2077+public.personsettings = SELECT
2078 public.previewdiff = SELECT
2079+public.product = SELECT, UPDATE
2080+public.productseries = SELECT
2081+public.project = SELECT, UPDATE
2082+public.question = SELECT, UPDATE
2083+public.questionbug = SELECT
2084+public.questionmessage = SELECT, INSERT
2085+public.questionsubscription = SELECT
2086+public.section = SELECT
2087+public.seriessourcepackagebranch = SELECT
2088+public.sourcepackagename = SELECT
2089+public.sourcepackagepublishinghistory = SELECT
2090+public.sourcepackagerelease = SELECT
2091+public.specification = SELECT
2092+public.specificationsubscription = SELECT
2093 public.staticdiff = SELECT, INSERT, UPDATE
2094-public.sourcepackagename = SELECT
2095-public.seriessourcepackagebranch = SELECT
2096-
2097+public.structuralsubscription = SELECT
2098+public.teammembership = SELECT
2099+public.teamparticipation = SELECT
2100+public.validpersoncache = SELECT
2101+public.validpersonorteamcache = SELECT
2102+type=user
2103
2104 [mlist-sync]
2105-# The mailing list sync user
2106-type=user
2107 groups=script
2108+public.emailaddress = SELECT, UPDATE
2109 public.mailinglist = SELECT
2110 public.person = SELECT
2111-public.emailaddress = SELECT, UPDATE
2112+type=user
2113
2114 [mlist-import]
2115-# The mailing list import user
2116-type=user
2117 public.emailaddress = SELECT, INSERT, UPDATE
2118 public.mailinglist = SELECT, INSERT, UPDATE
2119 public.mailinglistsubscription = SELECT, INSERT, UPDATE
2120@@ -1833,56 +1699,53 @@
2121 public.personsettings = SELECT, INSERT
2122 public.teammembership = SELECT, INSERT, UPDATE
2123 public.teamparticipation = SELECT, INSERT, UPDATE
2124+type=user
2125
2126 [hwdb-submission-processor]
2127-# The user that updates the HWDB with data from new submissions
2128-type=user
2129 groups=script
2130-public.person = SELECT
2131+public.hwdevice = SELECT, INSERT
2132+public.hwdeviceclass = SELECT, INSERT
2133 public.hwdevicedriverlink = SELECT, INSERT
2134 public.hwdevicenamevariant = SELECT, INSERT
2135-public.hwdevice = SELECT, INSERT
2136-public.hwdeviceclass = SELECT, INSERT
2137+public.hwdmihandle = SELECT, INSERT
2138 public.hwdmivalue = SELECT, INSERT
2139-public.hwdmihandle = SELECT, INSERT
2140 public.hwdriver = SELECT, INSERT
2141+public.hwsubmission = SELECT, UPDATE
2142 public.hwsubmissiondevice = SELECT, INSERT
2143-public.hwsubmission = SELECT, UPDATE
2144+public.hwtest = SELECT
2145+public.hwtestanswer = SELECT
2146 public.hwtestanswerchoice = SELECT
2147+public.hwtestanswercount = SELECT
2148 public.hwtestanswercountdevice = SELECT
2149-public.hwtestanswercount = SELECT
2150 public.hwtestanswerdevice = SELECT
2151-public.hwtestanswer = SELECT
2152-public.hwtest = SELECT
2153 public.hwvendorid = SELECT, INSERT
2154 public.hwvendorname = SELECT, INSERT
2155 public.libraryfilealias = SELECT
2156 public.libraryfilecontent = SELECT
2157+public.person = SELECT
2158 public.teamparticipation = SELECT
2159+type=user
2160
2161 [builddcontroller]
2162-# The user than runs the buildd controller.
2163+public.builder = SELECT, UPDATE
2164+public.processor = SELECT
2165 type=user
2166-public.processor = SELECT
2167-public.builder = SELECT, UPDATE
2168
2169 [binaryfile-expire]
2170-# The user that expires binary files from the librarian.
2171-type=user
2172 groups=script
2173 public.archive = SELECT
2174 public.binarypackagefile = SELECT
2175 public.binarypackagepublishinghistory = SELECT
2176 public.binarypackagerelease = SELECT
2177 public.distribution = SELECT
2178+public.libraryfilealias = SELECT, UPDATE
2179 public.person = SELECT
2180-public.libraryfilealias = SELECT, UPDATE
2181-public.sourcepackagereleasefile = SELECT
2182 public.sourcepackagepublishinghistory = SELECT
2183 public.sourcepackagerelease = SELECT
2184+public.sourcepackagereleasefile = SELECT
2185+type=user
2186
2187 [create-merge-proposals]
2188-type=user
2189 groups=script
2190 public.account = SELECT
2191 public.accountpassword = SELECT
2192@@ -1900,8 +1763,8 @@
2193 public.emailaddress = SELECT
2194 public.gpgkey = SELECT
2195 public.job = SELECT, INSERT, UPDATE
2196+public.karma = SELECT, INSERT
2197 public.karmaaction = SELECT
2198-public.karma = SELECT, INSERT
2199 public.libraryfilealias = SELECT, INSERT
2200 public.libraryfilecontent = SELECT, INSERT
2201 public.mergedirectivejob = SELECT
2202@@ -1916,9 +1779,9 @@
2203 public.staticdiff = SELECT, INSERT
2204 public.teamparticipation = SELECT
2205 public.validpersoncache = SELECT
2206+type=user
2207
2208 [merge-proposal-jobs]
2209-type=user
2210 groups=script
2211 public.account = SELECT
2212 public.accountpassword = SELECT
2213@@ -1939,8 +1802,8 @@
2214 public.emailaddress = SELECT
2215 public.incrementaldiff = SELECT, INSERT
2216 public.job = SELECT, INSERT, UPDATE
2217+public.karma = SELECT, INSERT
2218 public.karmaaction = SELECT
2219-public.karma = SELECT, INSERT
2220 public.libraryfilealias = SELECT, INSERT
2221 public.libraryfilecontent = SELECT, INSERT
2222 public.mergedirectivejob = SELECT
2223@@ -1957,16 +1820,16 @@
2224 public.teammembership = SELECT
2225 public.teamparticipation = SELECT
2226 public.validpersoncache = SELECT
2227+type=user
2228
2229 [upgrade-branches]
2230-type=user
2231 groups=script
2232 public.branch = SELECT, UPDATE
2233 public.branchjob = SELECT, INSERT
2234 public.job = SELECT, INSERT, UPDATE
2235+type=user
2236
2237 [send-branch-mail]
2238-type=user
2239 groups=script
2240 public.account = SELECT
2241 public.accountpassword = SELECT
2242@@ -1974,8 +1837,8 @@
2243 public.branchjob = SELECT
2244 public.branchmergeproposal = SELECT, INSERT, UPDATE
2245 public.branchmergeproposaljob = SELECT, INSERT
2246-public.branchsubscription = SELECT
2247 public.branchrevision = SELECT
2248+public.branchsubscription = SELECT
2249 public.codereviewmessage = SELECT, INSERT
2250 public.codereviewvote = SELECT, INSERT
2251 public.diff = SELECT, INSERT
2252@@ -1983,8 +1846,8 @@
2253 public.distroseries = SELECT
2254 public.emailaddress = SELECT
2255 public.job = SELECT, INSERT, UPDATE
2256+public.karma = SELECT, INSERT
2257 public.karmaaction = SELECT
2258-public.karma = SELECT, INSERT
2259 public.libraryfilealias = SELECT, INSERT
2260 public.libraryfilecontent = SELECT, INSERT
2261 public.mergedirectivejob = SELECT
2262@@ -2001,69 +1864,65 @@
2263 public.teammembership = SELECT
2264 public.teamparticipation = SELECT
2265 public.validpersoncache = SELECT
2266+type=user
2267
2268 [reclaim-branch-space]
2269-type=user
2270 groups=script
2271 public.branchjob = SELECT
2272 public.job = SELECT, UPDATE
2273+type=user
2274
2275 [updateremoteproduct]
2276-# Updates Product.remote_product using bug watch information.
2277-type=user
2278 groups=script
2279 public.account = SELECT, INSERT, UPDATE
2280+public.accountpassword = SELECT, INSERT
2281+public.bug = SELECT, INSERT, UPDATE
2282+public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
2283+public.bugjob = SELECT, INSERT
2284+public.bugmessage = SELECT, INSERT
2285+public.bugsubscription = SELECT, INSERT
2286+public.bugsubscriptionfilter = SELECT, INSERT
2287+public.bugsubscriptionfilterimportance = SELECT, INSERT
2288+public.bugsubscriptionfilterstatus = SELECT, INSERT
2289+public.bugsubscriptionfiltertag = SELECT, INSERT
2290+public.bugtag = SELECT
2291+public.bugtask = SELECT, INSERT, UPDATE
2292+public.bugtracker = SELECT, INSERT
2293+public.bugtrackeralias = SELECT
2294+public.bugwatch = SELECT, INSERT
2295+public.emailaddress = SELECT, INSERT, UPDATE
2296+public.hwsubmission = SELECT
2297+public.job = SELECT, INSERT, UPDATE
2298+public.message = SELECT, INSERT
2299+public.messagechunk = SELECT, INSERT
2300 public.person = SELECT, INSERT
2301 public.personsettings = SELECT, INSERT
2302 public.product = SELECT, INSERT, UPDATE
2303+public.productlicense = SELECT, INSERT
2304 public.productseries = SELECT, INSERT
2305-public.productlicense = SELECT, INSERT
2306-public.bugtracker = SELECT, INSERT
2307-public.bugwatch = SELECT, INSERT
2308-public.bug = SELECT, INSERT, UPDATE
2309-public.bugjob = SELECT, INSERT
2310-public.bugaffectsperson = SELECT, INSERT, UPDATE, DELETE
2311-public.bugtag = SELECT
2312-public.bugtask = SELECT, INSERT, UPDATE
2313-public.accountpassword = SELECT, INSERT
2314-public.teamparticipation = SELECT, INSERT
2315-public.emailaddress = SELECT, INSERT, UPDATE
2316-public.hwsubmission = SELECT
2317 public.revisionauthor = SELECT
2318-public.bugtrackeralias = SELECT
2319-public.message = SELECT, INSERT
2320-public.messagechunk = SELECT, INSERT
2321-public.bugsubscription = SELECT, INSERT
2322-public.bugsubscriptionfilter = SELECT, INSERT
2323-public.bugsubscriptionfilterstatus = SELECT, INSERT
2324-public.bugsubscriptionfilterimportance = SELECT, INSERT
2325-public.bugsubscriptionfiltertag = SELECT, INSERT
2326-public.bugmessage = SELECT, INSERT
2327 public.sourcepackagename = SELECT
2328-public.job = SELECT, INSERT, UPDATE
2329+public.teamparticipation = SELECT, INSERT
2330+type=user
2331
2332 [updatesourceforgeremoteproduct]
2333-# Updates Product.remote_product using SourceForge project data.
2334-type=user
2335 groups=script
2336-public.product = SELECT, UPDATE
2337 public.bugtracker = SELECT
2338+public.product = SELECT, UPDATE
2339+type=user
2340
2341 [updatebugzillaremotecomponents]
2342-# Retrieves/updates BugTracker component info from Bugzillas
2343-type=user
2344 groups=script
2345 public.bugtracker = SELECT, UPDATE
2346 public.bugtrackercomponent = SELECT, INSERT, UPDATE, DELETE
2347 public.bugtrackercomponentgroup = SELECT, INSERT, UPDATE, DELETE
2348+type=user
2349
2350 [process-job-source-groups]
2351-# Does not need access to tables.
2352+groups=script
2353 type=user
2354-groups=script
2355
2356 [person-transfer-job]
2357-type=user
2358 groups=script
2359 public.account = SELECT
2360 public.emailaddress = SELECT
2361@@ -2071,9 +1930,9 @@
2362 public.person = SELECT
2363 public.persontransferjob = SELECT
2364 public.teammembership = SELECT
2365+type=user
2366
2367 [person-merge-job]
2368-type=user
2369 groups=script
2370 public.account = SELECT, UPDATE
2371 public.announcement = SELECT, UPDATE
2372@@ -2198,66 +2057,60 @@
2373 public.votecast = SELECT, UPDATE
2374 public.webserviceban = SELECT, UPDATE, DELETE
2375 public.wikiname = SELECT, UPDATE
2376+type=user
2377
2378 [weblogstats]
2379-# For the script that parses our Apache/Squid logfiles and updates statistics
2380-type=user
2381 public.libraryfilealias = SELECT
2382 public.libraryfiledownloadcount = SELECT, INSERT, UPDATE, DELETE
2383+type=user
2384
2385 [garbo]
2386-# garbo_hourly and garbo_daily script permissions. We define the
2387-# permissions here in this group instead of in the users, so tasks can
2388-# be shuffled around between the daily and hourly sections without
2389-# changing DB permissions.
2390-type=user
2391 groups=script,read
2392+public.branchjob = SELECT, DELETE
2393 public.bug = SELECT, UPDATE
2394+public.bugaffectsperson = SELECT
2395 public.bugattachment = SELECT, DELETE
2396-public.bugsubscription = SELECT
2397-public.bugsubscriptionfilter = SELECT
2398-public.bugsubscriptionfilterstatus = SELECT
2399-public.bugsubscriptionfilterimportance = SELECT
2400-public.bugsubscriptionfiltertag = SELECT
2401-public.bugaffectsperson = SELECT
2402+public.bugjob = SELECT, INSERT
2403 public.bugmessage = SELECT, UPDATE
2404 public.bugnotification = SELECT, DELETE
2405 public.bugnotificationfilter = SELECT, DELETE
2406 public.bugnotificationrecipientarchive = SELECT
2407+public.bugsubscription = SELECT
2408+public.bugsubscriptionfilter = SELECT
2409+public.bugsubscriptionfilterimportance = SELECT
2410+public.bugsubscriptionfilterstatus = SELECT
2411+public.bugsubscriptionfiltertag = SELECT
2412 public.bugtag = SELECT
2413 public.bugwatch = SELECT, UPDATE
2414 public.bugwatchactivity = SELECT, DELETE
2415 public.codeimportevent = SELECT, DELETE
2416 public.codeimporteventdata = SELECT, DELETE
2417 public.codeimportresult = SELECT, DELETE
2418+public.emailaddress = SELECT, UPDATE
2419+public.hwsubmission = SELECT, UPDATE
2420+public.job = SELECT, INSERT, DELETE
2421+public.mailinglistsubscription = SELECT, DELETE
2422 public.oauthnonce = SELECT, DELETE
2423 public.openidassociation = SELECT, DELETE
2424 public.openidconsumerassociation = SELECT, DELETE
2425 public.openidconsumernonce = SELECT, DELETE
2426+public.person = SELECT, DELETE
2427 public.potranslation = SELECT, DELETE
2428+public.revisionauthor = SELECT, UPDATE
2429 public.revisioncache = SELECT, DELETE
2430-public.person = SELECT, DELETE
2431-public.revisionauthor = SELECT, UPDATE
2432-public.hwsubmission = SELECT, UPDATE
2433-public.mailinglistsubscription = SELECT, DELETE
2434 public.suggestivepotemplate = INSERT, DELETE
2435 public.teamparticipation = SELECT, DELETE
2436-public.emailaddress = SELECT, UPDATE
2437-public.job = SELECT, INSERT, DELETE
2438-public.branchjob = SELECT, DELETE
2439-public.bugjob = SELECT, INSERT
2440+type=user
2441
2442 [garbo_daily]
2443+groups=garbo
2444 type=user
2445-groups=garbo
2446
2447 [garbo_hourly]
2448+groups=garbo
2449 type=user
2450-groups=garbo
2451
2452 [generateppahtaccess]
2453-# For the generate_ppa_htaccess.py cronscript.
2454-type=user
2455 groups=script
2456 public.archive = SELECT
2457 public.archiveauthtoken = SELECT, UPDATE
2458@@ -2270,70 +2123,67 @@
2459 public.publisherconfig = SELECT
2460 public.teammembership = SELECT
2461 public.teamparticipation = SELECT
2462+type=user
2463
2464 [branch-rewrite]
2465+public.branch = SELECT
2466 type=user
2467-public.branch = SELECT
2468
2469 [nagios]
2470-type=user
2471 public.archive = SELECT
2472+public.binarypackagebuild = SELECT
2473+public.branch = SELECT
2474 public.buildfarmjob = SELECT
2475-public.databasereplicationlag = SELECT
2476-public.packagebuild = SELECT
2477-public.binarypackagebuild = SELECT
2478+public.buildpackagejob = SELECT
2479 public.buildqueue = SELECT
2480-public.buildpackagejob = SELECT
2481+public.databasereplicationlag = SELECT
2482 public.job = SELECT
2483 public.libraryfilecontent = SELECT
2484 public.openidrpconfig = SELECT
2485-public.branch = SELECT
2486+public.packagebuild = SELECT
2487+type=user
2488
2489 [modified-branches]
2490+public.branch = SELECT
2491 type=user
2492-public.branch = SELECT
2493
2494 [calculate-bug-heat]
2495-type=user
2496 groups=script,read
2497 public.bug = SELECT, UPDATE
2498-public.job = SELECT, UPDATE, DELETE
2499 public.bugjob = SELECT, DELETE
2500 public.distribution = SELECT, UPDATE
2501 public.distributionsourcepackage = SELECT, INSERT, UPDATE
2502 public.distroseries = SELECT
2503+public.job = SELECT, UPDATE, DELETE
2504 public.product = SELECT, UPDATE
2505 public.productseries = SELECT
2506 public.project = SELECT, UPDATE
2507-
2508+type=user
2509
2510 [lagmon]
2511-# cache-database-replication-lag.py
2512-type=user
2513 public.update_replication_lag_cache() = EXECUTE
2514+type=user
2515
2516 [process-apport-blobs]
2517-type=user
2518 groups=script,read
2519+public.apportjob = SELECT, INSERT, UPDATE, DELETE
2520 public.job = SELECT, UPDATE, DELETE
2521-public.apportjob = SELECT, INSERT, UPDATE, DELETE
2522 public.libraryfilealias = SELECT, INSERT, UPDATE
2523 public.libraryfilecontent = SELECT, INSERT, UPDATE
2524+type=user
2525
2526 [update-pkg-cache]
2527-# update-pkg-cache.py split off from the statistician user so that it's easier
2528-# to see its activity separate from update-stats.py
2529-type=user
2530 groups=statistician
2531+type=user
2532
2533 [database_stats_update]
2534-type=user
2535 groups=script
2536 public.update_database_stats() = EXECUTE
2537+type=user
2538
2539 [database_stats_report]
2540-type=user
2541 groups=script
2542-public.databasetablestats = SELECT
2543 public.databasecpustats = SELECT
2544 public.databasediskutilization = SELECT
2545+public.databasetablestats = SELECT
2546+type=user
2547
2548=== added file 'lib/lp/scripts/utilities/settingsauditor.py'
2549--- lib/lp/scripts/utilities/settingsauditor.py 1970-01-01 00:00:00 +0000
2550+++ lib/lp/scripts/utilities/settingsauditor.py 2011-05-03 22:22:53 +0000
2551@@ -0,0 +1,110 @@
2552+# Copyright 2011 Canonical Ltd. This software is licensed under the
2553+# GNU Affero General Public License version 3 (see the file LICENSE).
2554+
2555+"""Contains the seting auditor used to clean up security.cfg."""
2556+
2557+__metaclass__ = type
2558+
2559+__all__ = [
2560+ "SettingsAuditor",
2561+ ]
2562+
2563+from collections import defaultdict
2564+import re
2565+
2566+
2567+class SettingsAuditor:
2568+ """Reads the security.cfg file and collects errors.
2569+
2570+ We can't just use ConfigParser for this case, as we're doing our own
2571+ specialized parsing--not interpreting the settings, but verifying."""
2572+
2573+ header_regex = re.compile(r'.*?(?=\[)', re.MULTILINE|re.DOTALL)
2574+ section_regex = re.compile(
2575+ r'\[.*?\].*?(?=(\[)|($\Z))', re.MULTILINE|re.DOTALL)
2576+ section_label_regex = re.compile(r'\[.*\]')
2577+
2578+ def __init__(self, data):
2579+ self.data = data
2580+ self.errors = {}
2581+ self.current_section = ''
2582+ self.observed_settings = defaultdict(lambda: 0)
2583+
2584+ def _getHeader(self):
2585+ """Removes the header comments from the security file.
2586+
2587+ The comments at the start of the file aren't something we
2588+ want to kill.
2589+ """
2590+ header = self.header_regex.match(self.data)
2591+ if header is not None:
2592+ header = header.group()
2593+ self.data = self.data.replace(header, '')
2594+ return header
2595+
2596+ def _strip(self, data):
2597+ data = data.split('\n')
2598+ data = [d.strip() for d in data]
2599+ return '\n'.join(d for d in data if not (d.startswith('#') or d == ''))
2600+
2601+ def _getSectionName(self, line):
2602+ if line.strip().startswith('['):
2603+ return self.section_regex.match(line).group()
2604+ else:
2605+ return None
2606+
2607+ def _separateConfigBlocks(self):
2608+ # We keep the copy of config_labels so we can keep them in order.
2609+ self.config_blocks = {}
2610+ self.config_labels = []
2611+ self.data = self._strip(self.data)
2612+ while self.data != '':
2613+ section = self.section_regex.match(self.data)
2614+ section = section.group()
2615+ self.data = self.data.replace(section, '')
2616+ label = self.section_label_regex.match(section).group()
2617+ self.config_labels.append(label)
2618+ self.config_blocks[label] = section
2619+
2620+ def _processBlocks(self):
2621+ for block in self.config_labels:
2622+ data = set(self.config_blocks[block].split('\n')[1:])
2623+ data.discard('')
2624+ data = [line for line in sorted(data)
2625+ if line.strip() != '' and
2626+ not line.strip().startswith('#')]
2627+ self._checkForDupes(data, block)
2628+ data = '\n'.join([block] + data)
2629+ self.config_blocks[block] = data
2630+
2631+ def _checkForDupes(self, data, label):
2632+ settings = defaultdict(lambda: 0)
2633+ for line in data:
2634+ settings[self._getSetting(line)] += 1
2635+ dupe_settings = [setting for setting in settings.keys()
2636+ if settings[setting] > 1]
2637+ if dupe_settings != []:
2638+ self.errors[label] = dupe_settings
2639+
2640+ def _getSetting(self, line):
2641+ return line.split()[0]
2642+
2643+ def audit(self):
2644+ header = self._getHeader()
2645+ self._separateConfigBlocks()
2646+ self._processBlocks()
2647+ data = []
2648+ for label in self.config_labels:
2649+ data.append(self.config_blocks[label])
2650+ return '%s%s' % (header, '\n\n'.join(data))
2651+
2652+ @property
2653+ def error_data(self):
2654+ error_data = []
2655+ error_data.append("The following errors were found in security.cfg")
2656+ error_data.append("-----------------------------------------------")
2657+ for section in self.errors.keys():
2658+ error_data.append("In section: %s" % section)
2659+ for setting in self.errors[section]:
2660+ error_data.append('\tDuplicate setting found: %s' % setting)
2661+ return '\n'.join(error_data)
2662
2663=== modified file 'lib/lp/scripts/utilities/tests/test_audit_security_settings.py'
2664--- lib/lp/scripts/utilities/tests/test_audit_security_settings.py 2011-04-20 16:14:10 +0000
2665+++ lib/lp/scripts/utilities/tests/test_audit_security_settings.py 2011-05-03 22:22:53 +0000
2666@@ -1,4 +1,3 @@
2667-
2668 # Copyright 2011 Canonical Ltd. This software is licensed under the
2669 # GNU Affero General Public License version 3 (see the file LICENSE).
2670
2671@@ -6,21 +5,90 @@
2672
2673 __metaclass__ = type
2674
2675-import os
2676-
2677-from canonical.config import config
2678 from canonical.testing.layers import BaseLayer
2679+from lp.scripts.utilities.settingsauditor import SettingsAuditor
2680 from lp.testing import TestCase
2681
2682
2683-class TestAuditSecuitySettings(TestCase):
2684+class TestAuditSecuritySettings(TestCase):
2685
2686 layer = BaseLayer
2687
2688- def test_duplicate_parsing(self):
2689- utility = os.path.join(
2690- config.root, 'utilities', 'audit-security-settings.py')
2691- cmd = '%s smoketest' % utility
2692- error_msg = os.popen(cmd).read()
2693- expected = '[bad]\n\tDuplicate setting found: public.bar\n'
2694- self.assertTrue(expected in error_msg)
2695+ def setUp(self):
2696+ super(TestAuditSecuritySettings, self).setUp()
2697+ self.test_settings = (
2698+ '# This is the header.\n'
2699+ '[good]\n'
2700+ 'public.foo = SELECT\n'
2701+ 'public.bar = SELECT, INSERT\n'
2702+ 'public.baz = SELECT\n'
2703+ '\n'
2704+ '[bad]\n'
2705+ 'public.foo = SELECT\n'
2706+ 'public.bar = SELECT, INSERT\n'
2707+ 'public.bar = SELECT\n'
2708+ 'public.baz = SELECT')
2709+
2710+ def test_getHeader(self):
2711+ sa = SettingsAuditor(self.test_settings)
2712+ header = sa._getHeader()
2713+ self.assertEqual(
2714+ header,
2715+ '# This is the header.\n')
2716+
2717+ def test_extract_config_blocks(self):
2718+ test_settings = self.test_settings.replace(
2719+ '# This is the header.\n', '')
2720+ sa = SettingsAuditor(test_settings)
2721+ sa._separateConfigBlocks()
2722+ self.assertContentEqual(
2723+ ['[good]', '[bad]'],
2724+ sa.config_blocks.keys())
2725+
2726+ def test_audit_block(self):
2727+ sa = SettingsAuditor('')
2728+ test_block = (
2729+ '[bad]\n'
2730+ 'public.foo = SELECT\n'
2731+ 'public.bar = SELECT, INSERT\n'
2732+ 'public.bar = SELECT\n'
2733+ 'public.baz = SELECT\n')
2734+ sa.config_blocks = {'[bad]': test_block}
2735+ sa.config_labels = ['[bad]']
2736+ sa._processBlocks()
2737+ expected = (
2738+ '[bad]\n'
2739+ 'public.bar = SELECT\n'
2740+ 'public.bar = SELECT, INSERT\n'
2741+ 'public.baz = SELECT\n'
2742+ 'public.foo = SELECT')
2743+ self.assertEqual(expected, sa.config_blocks['[bad]'])
2744+ expected_error = '[bad]\n\tDuplicate setting found: public.bar'
2745+ self.assertTrue(expected_error in sa.error_data)
2746+
2747+ def test_audit(self):
2748+ sa = SettingsAuditor(self.test_settings)
2749+ new_settings = sa.audit()
2750+ expected_settings = (
2751+ '# This is the header.\n'
2752+ '[good]\n'
2753+ 'public.bar = SELECT, INSERT\n'
2754+ 'public.baz = SELECT\n'
2755+ 'public.foo = SELECT\n'
2756+ '\n'
2757+ '[bad]\n'
2758+ 'public.bar = SELECT\n'
2759+ 'public.bar = SELECT, INSERT\n'
2760+ 'public.baz = SELECT\n'
2761+ 'public.foo = SELECT')
2762+ self.assertEqual(expected_settings, new_settings)
2763+
2764+ def test_comments_stipped(self):
2765+ sa = SettingsAuditor('')
2766+ test_data = (
2767+ '#[foo]\n'
2768+ '#public.foo = SELECT\n')
2769+ data = sa._strip(test_data)
2770+ self.assertEqual('', data)
2771+
2772+
2773
2774=== modified file 'utilities/audit-security-settings.py'
2775--- utilities/audit-security-settings.py 2011-04-19 15:27:55 +0000
2776+++ utilities/audit-security-settings.py 2011-05-03 22:22:53 +0000
2777@@ -12,23 +12,10 @@
2778 __metatype__ = type
2779
2780 import os
2781-import sys
2782-import re
2783-
2784-from collections import defaultdict
2785-
2786-TEST_DATA = """
2787-[good]
2788-public.foo = SELECT
2789-public.bar = SELECT, INSERT
2790-public.baz = SELECT
2791-
2792-[bad]
2793-public.foo = SELECT
2794-public.bar = SELECT, INSERT
2795-public.bar = SELECT
2796-public.baz = SELECT
2797-"""
2798+
2799+import _pythonpath
2800+from lp.scripts.utilities.settingsauditor import SettingsAuditor
2801+
2802
2803 BRANCH_ROOT = os.path.split(
2804 os.path.dirname(os.path.abspath(__file__)))[0]
2805@@ -36,77 +23,12 @@
2806 BRANCH_ROOT, 'database', 'schema', 'security.cfg')
2807
2808
2809-def strip(data):
2810- data = [d.strip() for d in data]
2811- return [d for d in data if not (d.startswith('#') or d == '')]
2812-
2813-
2814-class SettingsAuditor:
2815- """Reads the security.cfg file and collects errors.
2816-
2817- We can't just use ConfigParser for this case, as we're doing our own
2818- specialized parsing--not interpreting the settings, but verifying."""
2819-
2820- section_regex = re.compile(r'\[.*\]')
2821-
2822- def __init__(self):
2823- self.errors = {}
2824- self.current_section = ''
2825- self.observed_settings = defaultdict(lambda: 0)
2826-
2827- def _get_section_name(self, line):
2828- if line.strip().startswith('['):
2829- return self.section_regex.match(line).group()
2830- else:
2831- return None
2832-
2833- def _get_setting(self, line):
2834- return line.split()[0]
2835-
2836- def start_new_section(self, new_section):
2837- for k in self.observed_settings.keys():
2838- if self.observed_settings[k] == 1:
2839- self.observed_settings.pop(k)
2840- duplicated_settings = self.observed_settings.keys()
2841- if len(duplicated_settings) > 0:
2842- self.errors[self.current_section] = self.observed_settings.keys()
2843- self.observed_settings = defaultdict(lambda: 0)
2844- self.current_section = new_section
2845-
2846- def readline(self, line):
2847- new_section = self._get_section_name(line)
2848- if new_section is not None:
2849- self.start_new_section(new_section)
2850- else:
2851- setting = self._get_setting(line)
2852- self.observed_settings[setting] += 1
2853-
2854- def print_error_data(self):
2855- print "The following errors were found in security.cfg"
2856- print "-----------------------------------------------"
2857- for section in self.errors.keys():
2858- print "In section: %s" % section
2859- for setting in self.errors[section]:
2860- print '\tDuplicate setting found: %s' % setting
2861-
2862-
2863-def main(test=False):
2864- # This is a cheap hack to allow testing in the testrunner.
2865- if test:
2866- data = TEST_DATA.split('\n')
2867- else:
2868- data = file(SECURITY_PATH).readlines()
2869- data = strip(data)
2870- auditor = SettingsAuditor()
2871- for line in data:
2872- auditor.readline(line)
2873- auditor.start_new_section('')
2874- auditor.print_error_data()
2875+def main():
2876+ data = file(SECURITY_PATH).read()
2877+ auditor = SettingsAuditor(data)
2878+ settings = auditor.audit()
2879+ file(SECURITY_PATH, 'w').write(settings)
2880+ print auditor.error_data
2881
2882 if __name__ == '__main__':
2883- # smoketest check is a cheap hack to test the utility in the testrunner.
2884- try:
2885- test = sys.argv[1] == 'smoketest'
2886- except IndexError:
2887- test = False
2888- main(test=test)
2889+ main()