diff --git a/docs/source/access_controls.rst b/docs/source/access_controls.rst index 201c2641..d770f8d8 100644 --- a/docs/source/access_controls.rst +++ b/docs/source/access_controls.rst @@ -15,6 +15,8 @@ username/password but it has its limitations which you should be aware of. Details can be found at :ref:`auth-config` +.. _allowed-scms: + Allowed SCMs ============ @@ -24,6 +26,13 @@ We recommend that every production environment choose a limited set of trusted s Details of the ``allowed_scms`` option are covered under :ref:`scm-config` +We also provides ``build_from_scm`` hub policy for the same purpose, you can choose either/both +of the two approaches by the switch options in ``/etc/kojid.conf`` per build: + + * ``allowed_scms_use_config``, default: ``true`` + * ``allowed_scms_use_policy``, default: ``false`` + +For more details of the ``build_from_scm``, please read :doc:`defining_hub_policies`. Hub Policies ============ @@ -43,6 +52,7 @@ Examples of access control polices are: * vm: control which windows build tasks are allowed * dist_repo: control which distRepo tasks are allowed * build_from_srpm: control whether builds from srpm are allowed +* build_from_scm: control whether builds from the SCM are allowed and the behavior of the SCM * build_from_repo_id: control whether builds from user-specified repos ids are allowed Note that not all policies are access control policies. diff --git a/docs/source/defining_hub_policies.rst b/docs/source/defining_hub_policies.rst index d0ccc0ff..21bf8aae 100644 --- a/docs/source/defining_hub_policies.rst +++ b/docs/source/defining_hub_policies.rst @@ -7,6 +7,8 @@ in the system. At present, policy allows you to control: * tag/untag/move operations * allowing builds from srpm +* allowing builds from SCM, and managing properties/behaviors related to the SCM + if it is allowed * allowing builds from expired repos * managing the package list for a tag * managing which channel a task goes to @@ -19,6 +21,11 @@ Policy configuration is optional. If you don't define one, then by default: * tag/untag/move operations are governed by tag locks/permissions * builds from srpm are only allowed for admins +* builds from any SCM are only allowed for admins. It's used when + ``allowed_scms_use_policy`` is ``true`` in ``/etc/kojid.conf`` of the builders + (``false`` by default). And the SCM's properies: ``use_common`` and + ``source_cmd`` are set to their default values: ``False`` and + ``['make', 'source']`` * builds from expired repos are only allowed for admins * only admins and users with ``tag`` permission may modify package lists * tasks go to the default channel @@ -126,6 +133,7 @@ The system currently looks for the following policies * ``tag``: checked during tag/untag/move operations * ``build_from_srpm``: checked when a build from srpm (not an SCM reference) is requested. +* ``build_from_scm``: checked when a build task from SCM is executing on builder * ``build_from_repo_id``: checked when a build from a specified repo id is requested * ``package_list``: checked when the package list for a tag is modified @@ -193,6 +201,23 @@ different: ``adjust -`` * decrement default priority +The **build_from_scm** policy is used to assert if the SCM is allowed or not, +like the basic allow/deny one. It is also used to manage the SCM's properties as +the same as the ``allowed_scms`` option of the koji builder. The actions could +be defined as: + +``allow [use_common] []`` + * allow the SCM + * use(clone) the /common repo when ``use_common`` follows ``allow`` + * ```` is a *optional* shell command for preparing the source + between checkout and srpm build. If it is omitted, it will follow the + default value: ``make source``. The explicit value: ``none`` means **No** + ``source_cmd`` is defined. + +``deny []`` + * disallow the SCM + * ```` is the error message which is shown as the task result + Available tests =============== ``true`` diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst index 29f811b0..b386688f 100644 --- a/docs/source/server_howto.rst +++ b/docs/source/server_howto.rst @@ -1216,6 +1216,11 @@ SCM checkout can contain multiple spec files (checkouted or created by ``source_cmd``). In such case spec file named same as a checkout directory will be selected. +.. note:: + We provide ``build_from_scm`` hub policy as an equivalent in version 1.26.0. + + For more details, please refer to :ref:`allowed-scms` and + :doc:`Defining Hub Policies `. Add the host to the createrepo channel -------------------------------------- diff --git a/koji/daemon.py b/koji/daemon.py index 786e03bc..c94e1c5c 100644 --- a/koji/daemon.py +++ b/koji/daemon.py @@ -454,8 +454,8 @@ class SCM(object): The format of the action returned from build_from_scm could be one of following forms:: - allow [use_common] [source_cmd] - deny [reason] + allow [use_common] [] + deny [] If use_common is not set, use_common property is False. If source_cmd is none, it will be parsed as None. If it not set, the default value: