Launchpad itself

Merge ~twom/launchpad:db-oci-policy-distribute-the-credentials into launchpad:db-devel

  1. Git
  2. lp:~twom/launchpad
  3. db-oci-policy-distribute-the-credentials
  4. Merge into db-devel
Proposed by Tom Wardill
Status: Merged
Approved by: Tom Wardill
Approved revision: 102a18997ac664f54f706af194ff57f39a9409d3
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~twom/launchpad:db-oci-policy-distribute-the-credentials
Merge into: launchpad:db-devel
Diff against target: 17 lines (+11/-0)
1 file modified
database/schema/patch-2210-24-0.sql (+11/-0)
Reviewer Review Type Date Requested Status
William Grant db Approve
Ioana Lasc (community) Approve
Review via email: mp+395770@code.launchpad.net

Commit message

Add OCI Credentials field to Distribution

To post a comment you must log in.
Revision history for this message
Ioana Lasc (ilasc) wrote :

LGTM

review: Approve
Revision history for this message
William Grant (wgrant) wrote :

Is there a spec for this? What does "in this distribution" mean, given that normal users can create recipes under a distribution's OCI projects?

review: Needs Information (db)
Revision history for this message
Tom Wardill (twom) wrote :

> Is there a spec for this? What does "in this distribution" mean, given that
> normal users can create recipes under a distribution's OCI projects?

This is the latest iteration of: https://docs.google.com/document/d/16iPKUri4hn3ezMm4Q5j27EwdZEqYnD3LJgsqJiqvhWo/edit

Creating OCI Projects within an Distribution is limited to the OCI Project Admins (or can be, via feature flag), so it's not open to everyone.

Revision history for this message
Tom Wardill (twom) wrote :

> > Is there a spec for this? What does "in this distribution" mean, given that
> > normal users can create recipes under a distribution's OCI projects?
>
> This is the latest iteration of: https://docs.google.com/document/d/16iPKUri4h
> n3ezMm4Q5j27EwdZEqYnD3LJgsqJiqvhWo/edit
>
> Creating OCI Projects within an Distribution is limited to the OCI Project
> Admins (or can be, via feature flag), so it's not open to everyone.

Replacing https://code.launchpad.net/~twom/launchpad/+git/launchpad/+merge/394958 in line with the direction of the spec.

Revision history for this message
William Grant (wgrant) wrote :

AIUI anyone can create an OCIRecipe inside an OCIProject, so isn't setting credentials on a whole OCIProject dangerous?

review: Needs Information (db)
Revision history for this message
Tom Wardill (twom) wrote :

Using the distribution credentials is limited to 'official' recipes (in https://code.launchpad.net/~twom/launchpad/+git/launchpad/+merge/395984).
Setting an official recipe requires `userIsRecipeAdmin`, which results in `pillar.canAdministrateOCIProjects`.

So a normal user can create a recipe, but that will be a 'build only' recipe and will not result in it being pushed to a registry.
Only a recipe being set to official will result in a push.

Revision history for this message
William Grant (wgrant) :
review: Approve (db)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/database/schema/patch-2210-24-0.sql b/database/schema/patch-2210-24-0.sql
2new file mode 100644
3index 0000000..833fa88
4--- /dev/null
5+++ b/database/schema/patch-2210-24-0.sql
6@@ -0,0 +1,11 @@
7+-- Copyright 2021 Canonical Ltd. This software is licensed under the
8+-- GNU Affero General Public License version 3 (see the file LICENSE).
9+
10+SET client_min_messages=ERROR;
11+
12+ALTER TABLE Distribution
13+ ADD COLUMN oci_credentials INTEGER REFERENCES OCIRegistryCredentials;
14+
15+COMMENT ON COLUMN Distribution.oci_credentials IS 'Credentials and URL to use for uploading all OCI Images in this distribution to a registry.';
16+
17+INSERT INTO LaunchpadDatabaseRevision VALUES (2210, 24, 0);

Subscribers

People subscribed via source and target branches

to status/vote changes: