| Index: scheduler/appengine/acl/acl.go
|
| diff --git a/scheduler/appengine/acl/acl.go b/scheduler/appengine/acl/acl.go
|
| index a1b8a2d1b4d82d97f9e414ca490528cc38ee50dd..067a0cb3e52d476c90e74e06d48ad58b5e351f3c 100644
|
| --- a/scheduler/appengine/acl/acl.go
|
| +++ b/scheduler/appengine/acl/acl.go
|
| @@ -41,13 +41,6 @@ func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) {
|
| }
|
|
|
| func (g *GrantsByRole) IsReader(c context.Context) (bool, error) {
|
| - if len(g.Readers) == 0 && len(g.Owners) == 0 {
|
| - // This is here for backwards compatiblity before ACLs were introduced.
|
| - // If Job doesn't specify READERs nor OWNERS explicitely, everybody can read.
|
| - // TODO(tAndrii): remove once every Job/Trigger has ACLs specified.
|
| - logging.Warningf(c, "Granting READ rights to all because no ACLs specified")
|
| - return true, nil
|
| - }
|
| return hasGrant(c, g.Owners, g.Readers, groupsAdministrators)
|
| }
|
|
|
| @@ -108,6 +101,12 @@ func ValidateTaskAcls(pSets AclSets, tSets []string, tAcls []*messages.Acl) (*Gr
|
| if n := len(mg.Owners) + len(mg.Readers); n > maxGrantsPerJob {
|
| return nil, fmt.Errorf("Job or Trigger can have at most %d acls, but %d given", maxGrantsPerJob, n)
|
| }
|
| + if len(mg.Owners) == 0 {
|
| + return nil, fmt.Errorf("Job or Trigger must have OWNER acl set")
|
| + }
|
| + if len(mg.Readers) == 0 {
|
| + return nil, fmt.Errorf("Job or Trigger must have READER acl set")
|
| + }
|
| return mg, nil
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2993793003:
[scheduler]: ACLs phase 3 - require ACLs specs for each Job/Trigger. (Closed)
