My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 3278: Gerrit ACL Deny is hard to use.
2 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by Velly.zhou, Apr 7, 2015
*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version: v2.8.6.1


What steps will reproduce the problem?

  There are 3 projects "All-Project", "Sencondary-Parent-Project" and "Child-Project" exist in Gerrit. And the latter project is the child of previous one in turns.

  Projects configurations has follow sections:

  All-Project:
  [access refs/*]
      read = Registered User

  Sencondary-Parent-Project
  [access refs/heads/test]
      read = deny group Registered User
      read = allow group Administrator

  Child-Project
  [access refs/heads/test]
      read = allow group Group_Test

What is the expected output? What do you see instead?
  [Expected]
  I expect Only Administor and Group_Test can access refs/heads/test in Child-Project. Permission read is forbidden to group Registered User in Sencondary-Parent-Project project and it is overrided by Child-Project.

  [Instead]
  Gerrit is not the case.(Permission read in Child-Project on refs/heads/test cannot limit read that configured on refs/* in All-Project)
  Gerrit follow my expection only when All-Project new a access section with same branch or same branch wild

  All-Project:
  [access refs/*]
      read = Registered User
  [access refs/test]
      read = Registered User

  All 3 projects in inheritance have to grant the permission in the same branch (or same wild) as above can follow the design perpose "Deny can be override and Block cannot"
Sign in to add a comment

Powered by Google Project Hosting