| 15 Nov 2022 |
 aciceri | I would like to manage these users (and which which jobsets they can restart) declaratively using an module option | 10:50:33 |
 @linus:schreibt.jetzt | sub mayRestartJobs {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
hasRestartJobsRole($c) ||
isProjectOwner($c, $project));
}
| 10:54:01 |
| @linus:schreibt.jetzt | That's the entire logic Hydra uses to determine whether a user can restart jobs. | 10:54:16 |
| aciceri | In reply to @janne.hess:helsinki-systems.de
hydra=# table projectmembers ;
project | username
---------+----------
(0 rows)
suppose there is only a row which puts in relation 'alice' to project and suppose that alice has the restart-jobs role. What happens when another project is created (without writing a new row in projectmembers I mean)? alice is able to restart jobs from this other project? | 10:54:24 |
| @linus:schreibt.jetzt | (/src/lib/Hydra/Helper/CatalystUtils.pm) | 10:54:52 |
| aciceri | In reply to @linus:schreibt.jetzt
sub mayRestartJobs {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
hasRestartJobsRole($c) ||
isProjectOwner($c, $project));
}
uhhh this is really helpful, thanks | 10:55:10 |
| @linus:schreibt.jetzt | so apparently project membership has no effect on whether users can restart jobs, lol | 10:55:36 |
| @linus:schreibt.jetzt | wait no actually project membership is project ownership | 10:56:27 |
| @linus:schreibt.jetzt | I think | 10:56:33 |
| aciceri | isProjectOwner doesn't use the projectmembers table? | 10:56:37 |
| @linus:schreibt.jetzt | sub isProjectOwner {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
$c->user->username eq $project->owner->username ||
defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
}
| 10:56:39 |
| @linus:schreibt.jetzt | yeah | 10:56:41 |
| aciceri | perfect! Then this is doable somehow | 10:57:37 |
| aciceri | I just need to move everything to different projects now | 10:58:18 |
| aciceri | Not sure I'll do, just wanted to know it made sense | 10:58:40 |
| @linus:schreibt.jetzt | as for declarative management of a hydra instance, may I suggest the terraform provider (maintained by my employer but I've been using it since before I worked there :D ) | 10:58:47 |
| @linus:schreibt.jetzt | ma27 has some nice wrapping code that makes it more pleasant to use with terranix | 10:59:32 |
| @linus:schreibt.jetzt | (not sure if he's published it) | 10:59:44 |
| @linus:schreibt.jetzt | hm, it doesn't support adding users to projects though | 11:00:50 |
| aciceri | uhhh interesting, we use terraform actually without terranix) but our Hydra installation is very customized, not sure it's worth using like this but thank for the information 😀 | 11:01:14 |
| aciceri | * uhhh interesting, we use terraform actually (without terranix) but our Hydra installation is very customized, not sure it's worth using like this but thank for the information 😀 | 11:01:25 |
| @linus:schreibt.jetzt | though I'm not sure if Hydra even exposes an API endpoint for it? | 11:01:34 |
 ma27 | In reply to @linus:schreibt.jetzt
as for declarative management of a hydra instance, may I suggest the terraform provider (maintained by my employer but I've been using it since before I worked there :D ) iirc I even advertised it to you although I'm not affiliated with detsys :D | 11:01:54 |
| @linus:schreibt.jetzt | yeah only seems to be in the schema, no controller for it | 11:01:57 |
| ma27 | In reply to @linus:schreibt.jetzt
ma27 has some nice wrapping code that makes it more pleasant to use with terranix not yet but I guess I should... | 11:02:11 |
| @linus:schreibt.jetzt | stick it in a gist, then people won't be able to file issues and PRs so it's less extra work :D | 11:02:46 |
| aciceri | Changing topic. any news about this? https://github.com/NixOS/hydra/pull/1228 | 11:04:33 |
| aciceri | * Changing topic: any news about this? https://github.com/NixOS/hydra/pull/1228 | 11:04:42 |
| aciceri | Perhaps next week I'll be able to spend some hours rebasing it and trying to fix one problem it had | 11:05:46 |
| aciceri | Related: someone here will be at the ocean sprint next week? | 11:07:16 |
