Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(440)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1224913002: luci-config: fine-grained acls (Closed)

Created:
5 years, 5 months ago by nodir
Modified:
5 years, 5 months ago
CC:
chromium-reviews
Base URL:
git@github.com:luci/luci-py.git@master
Target Ref:
refs/heads/master
Visibility:
Public.

Description

luci-config: fine-grained acls Each project/service can declare who can read its configs and see it in service/project/ref listings. A project can do that by putting projects/<project_id>:project.cfg file with "access" field set to a group name defined at auth service. If not specified, only admins have access. Same for services, except it is in services.cfg project_access_group in acl.cfg remains the same, but service_access_group is removed. Removed check of X-Appengine-Inbound-Appid check because it does not work. R=sergiyb@chromium.org, vadimsh@chromium.org BUG=#228 Committed: https://github.com/luci/luci-py/commit/28b2abd1e68e72f5ec4d1c6815263daa0aa57790

Patch Set 1 : #

Patch Set 2 : mentioned in doc that trusted services also have access #

Total comments: 5

Patch Set 3 : rebased on https://codereview.chromium.org/1221643020/ #

Patch Set 4 : fine-grained acls for service configs #

Total comments: 2

Patch Set 5 : identities in configs #

Unified diffs Side-by-side diffs Delta from patch set Stats (+1257 lines, -352 lines) Patch
M appengine/components/components/config/common.py View 1 2 3 chunks +4 lines, -1 line 0 comments Download
M appengine/components/components/config/endpoint.py View 1 2 4 chunks +97 lines, -7 lines 0 comments Download
A appengine/components/components/config/endpoint_test.py View 1 2 1 chunk +76 lines, -0 lines 0 comments Download
M appengine/components/components/config/remote.py View 1 2 2 chunks +1 line, -2 lines 0 comments Download
M appengine/components/components/config/remote_test.py View 1 2 1 chunk +1 line, -1 line 0 comments Download
M appengine/components/components/config/validation.py View 1 2 6 chunks +71 lines, -11 lines 0 comments Download
M appengine/components/components/config/validation_test.py View 1 2 3 chunks +31 lines, -2 lines 0 comments Download
M appengine/components/components/net.py View 1 2 1 chunk +3 lines, -0 lines 0 comments Download
M appengine/config_service/README.md View 1 2 3 chunks +44 lines, -13 lines 0 comments Download
M appengine/config_service/acl.py View 1 2 3 4 4 chunks +35 lines, -25 lines 0 comments Download
M appengine/config_service/acl_test.py View 1 2 3 4 3 chunks +42 lines, -20 lines 0 comments Download
M appengine/config_service/api.py View 4 chunks +6 lines, -9 lines 0 comments Download
M appengine/config_service/api_test.py View 1 2 3 11 chunks +30 lines, -31 lines 0 comments Download
M appengine/config_service/common.py View 1 2 1 chunk +1 line, -1 line 0 comments Download
M appengine/config_service/cron.yaml View 1 2 1 chunk +1 line, -1 line 0 comments Download
M appengine/config_service/gitiles_import.py View 1 2 1 chunk +1 line, -0 lines 0 comments Download
M appengine/config_service/proto/project_config.proto View 1 2 3 4 1 chunk +9 lines, -0 lines 0 comments Download
M appengine/config_service/proto/project_config_pb2.py View 1 2 3 4 5 chunks +13 lines, -6 lines 0 comments Download
M appengine/config_service/proto/service_config.proto View 1 2 3 4 2 chunks +68 lines, -22 lines 0 comments Download
M appengine/config_service/proto/service_config_pb2.py View 1 2 3 4 15 chunks +192 lines, -55 lines 0 comments Download
A appengine/config_service/services.py View 1 2 3 1 chunk +94 lines, -0 lines 0 comments Download
A appengine/config_service/services_test.py View 1 2 1 chunk +115 lines, -0 lines 0 comments Download
M appengine/config_service/storage_test.py View 1 2 3 1 chunk +2 lines, -2 lines 0 comments Download
M appengine/config_service/validation.py View 1 2 3 4 9 chunks +166 lines, -66 lines 0 comments Download
M appengine/config_service/validation_test.py View 1 2 3 4 7 chunks +154 lines, -77 lines 0 comments Download

Messages

Total messages: 18 (6 generated)
nodir
PTAL. When this is committed, I will add project.cfg "access: all" to public projects.
5 years, 5 months ago (2015-07-07 16:42:09 UTC) #3
nodir
On 2015/07/07 16:42:09, nodir wrote: > PTAL. When this is committed, I will add project.cfg ...
5 years, 5 months ago (2015-07-07 16:43:26 UTC) #4
Sergiy Byelozyorov
lgtm https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/README.md File appengine/config_service/README.md (right): https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/README.md#newcode96 appengine/config_service/README.md:96: and a GAE app with the same id, ...
5 years, 5 months ago (2015-07-07 22:48:07 UTC) #5
Vadim Sh.
https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/acl.py File appengine/config_service/acl.py (left): https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/acl.py#oldcode65 appengine/config_service/acl.py:65: (headers or {}).get('X-Appengine-Inbound-Appid') == service_id it should have worked ...
5 years, 5 months ago (2015-07-08 14:20:34 UTC) #6
nodir
Rebased on top of https://codereview.chromium.org/1221643020/ to have services.cfg https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/acl.py File appengine/config_service/acl.py (left): https://codereview.chromium.org/1224913002/diff/60001/appengine/config_service/acl.py#oldcode65 appengine/config_service/acl.py:65: (headers ...
5 years, 5 months ago (2015-07-08 16:35:58 UTC) #8
nodir
Updated acl.cfg https://chromereviews.googleplex.com/220517013/
5 years, 5 months ago (2015-07-08 17:17:16 UTC) #9
Vadim Sh.
I'm confused by this change after rebase.. where's the new code, where's committed code..
5 years, 5 months ago (2015-07-08 17:52:39 UTC) #10
nodir
On 2015/07/08 17:52:39, Vadim Sh. wrote: > I'm confused by this change after rebase.. where's ...
5 years, 5 months ago (2015-07-08 17:53:26 UTC) #11
Vadim Sh.
https://codereview.chromium.org/1224913002/diff/120001/appengine/config_service/acl.py File appengine/config_service/acl.py (right): https://codereview.chromium.org/1224913002/diff/120001/appengine/config_service/acl.py#newcode67 appengine/config_service/acl.py:67: if auth.is_group_member(service_cfg.access): Why not support both groups and individual ...
5 years, 5 months ago (2015-07-08 19:57:56 UTC) #12
nodir
https://codereview.chromium.org/1224913002/diff/120001/appengine/config_service/acl.py File appengine/config_service/acl.py (right): https://codereview.chromium.org/1224913002/diff/120001/appengine/config_service/acl.py#newcode67 appengine/config_service/acl.py:67: if auth.is_group_member(service_cfg.access): On 2015/07/08 19:57:56, Vadim Sh. wrote: > ...
5 years, 5 months ago (2015-07-08 21:08:49 UTC) #16
Vadim Sh.
lgtm
5 years, 5 months ago (2015-07-08 21:34:07 UTC) #17
nodir
5 years, 5 months ago (2015-07-08 21:42:02 UTC) #18
Message was sent while issue was closed. 
Committed patchset #5 (id:190001) manually as
28b2abd1e68e72f5ec4d1c6815263daa0aa57790 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698