| 15 Nov 2022 |
 aciceri | Someone knows if there is a way to configure which jobsets a user can restart? | 10:39:01 |
| aciceri | Or more generally permissions management for for single jobsets | 10:39:54 |
| aciceri | Or even by project | 10:41:02 |
 das_j | I only know of the db table, I'm not aware of config in the frontend | 10:41:24 |
| aciceri | Do you mean that the table has a schema that captures these informations? | 10:42:00 |
| aciceri | I mean permissions per jobsets | 10:42:14 |
| das_j | hydra=# table projectmembers ;
project | username
---------+----------
(0 rows)
| 10:42:35 |
| das_j | that's the best I know | 10:42:45 |
| aciceri | does this mean that the a user cannot have different permissions o | 10:44:53 |
| aciceri | * does this mean that the a user cannot have different permissions for different projects? | 10:45:02 |
| aciceri | * does this mean that the an user cannot have different permissions for different projects? | 10:45:10 |
| das_j | I have no idea tbh | 10:45:29 |
| aciceri | Frankly I'm only interested into the restart-jobs role, I would like to have the same user able to restart jobs from jobsets from a project but not from another project | 10:46:28 |
| aciceri | I would like to manage these users (and which which jobsets they can restart) declaratively using an module option | 10:50:33 |
 @linus:schreibt.jetzt | sub mayRestartJobs {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
hasRestartJobsRole($c) ||
isProjectOwner($c, $project));
}
| 10:54:01 |
| @linus:schreibt.jetzt | That's the entire logic Hydra uses to determine whether a user can restart jobs. | 10:54:16 |
| aciceri | In reply to @janne.hess:helsinki-systems.de
hydra=# table projectmembers ;
project | username
---------+----------
(0 rows)
suppose there is only a row which puts in relation 'alice' to project and suppose that alice has the restart-jobs role. What happens when another project is created (without writing a new row in projectmembers I mean)? alice is able to restart jobs from this other project? | 10:54:24 |
| @linus:schreibt.jetzt | (/src/lib/Hydra/Helper/CatalystUtils.pm) | 10:54:52 |
| aciceri | In reply to @linus:schreibt.jetzt
sub mayRestartJobs {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
hasRestartJobsRole($c) ||
isProjectOwner($c, $project));
}
uhhh this is really helpful, thanks | 10:55:10 |
| @linus:schreibt.jetzt | so apparently project membership has no effect on whether users can restart jobs, lol | 10:55:36 |
| @linus:schreibt.jetzt | wait no actually project membership is project ownership | 10:56:27 |
| @linus:schreibt.jetzt | I think | 10:56:33 |
| aciceri | isProjectOwner doesn't use the projectmembers table? | 10:56:37 |
| @linus:schreibt.jetzt | sub isProjectOwner {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
$c->user->username eq $project->owner->username ||
defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
}
| 10:56:39 |
| @linus:schreibt.jetzt | yeah | 10:56:41 |
| aciceri | perfect! Then this is doable somehow | 10:57:37 |
| aciceri | I just need to move everything to different projects now | 10:58:18 |
| aciceri | Not sure I'll do, just wanted to know it made sense | 10:58:40 |
| @linus:schreibt.jetzt | as for declarative management of a hydra instance, may I suggest the terraform provider (maintained by my employer but I've been using it since before I worked there :D ) | 10:58:47 |
| @linus:schreibt.jetzt | ma27 has some nice wrapping code that makes it more pleasant to use with terranix | 10:59:32 |
