Team/repo associations cleanup: You may have lost some permissions today

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Team/repo associations cleanup: You may have lost some permissions today

Daniel Beck
Hi everyone,

In preparation for the larger Everyone permissions cleanup[1] I wrote a script determining collaborators/contributors for every plugin. Reviewing its output, I found ~40 repos that had broken team/repo associations, i.e. per-repo teams that grant access to repositories other than the named one. I expect most of these associations are due to GitHub behavior that added all of a user's teams to a repo they fork or create (one of many reasons why we fork with the bot!). I cleaned most of those up (those repos with 90+ teams associated with them -- no joke -- will need GitHub support involvement).

So, if you lost access to any of these repos today, this is the reason. Please respond to this thread, or ping me on IRC, to get your access restored, if you are a (co)maintainer of any of these:
build-with-parameters-plugin
cloudbees-disk-usage-simple-plugin
ec2-fleet-plugin
exclude-matrix-parent
github-additional-traits-plugin
graphite-plugin
html5-notifier-plugin
icescrum-plugin
image-gallery-plugin
jacoco-plugin
jna
jsch-plugin
jslint-jenkins-plugin
keep-slave-offline-plugin
leiningen-plugin
logging-plugin
Matrix-sorter-plugin
maven-license-plugin
openstack-cloud-plugin
pipeline-build-step-plugin
pipeline-model-definition-plugin
plexus-utils
pubsub-light-module
r-plugin
redmine-plugin
sahagin-plugin
saml-plugin
seleniumhtmlreport-plugin
signal-killer
sse-gateway-plugin
telerik-appbuilder-plugin
updatejob-plugin
upstream-downstream-view-plugin

These three repos have so many team associations that they break the GitHub UI (90-130 teams each), so I'm in contact with GitHub support to fix them:
emmacoveragecolumn-plugin
matrix-reloaded-plugin
selenium-tests

In general, don't reuse the autogenerated teams to set up some sort of manual team/permissions management in GitHub. Create new teams for this that are unambiguously not a autogenerated 'whatever-plugin Developers' team.

Daniel

1: https://groups.google.com/d/msg/jenkinsci-dev/ksKAsmsmVng/lG2lNEaJBQAJ

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7B81C933-C072-431B-96FE-07C1585102BB%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Mark Waite-2
I seem to have lost the ability to control settings on the git-plugin repository.  Could you add me to a group that has admin permissions for https://github.com/jenkinsci/git-plugin ?

Mark Waite

On Tue, Nov 28, 2017 at 6:59 AM Daniel Beck <[hidden email]> wrote:
Hi everyone,

In preparation for the larger Everyone permissions cleanup[1] I wrote a script determining collaborators/contributors for every plugin. Reviewing its output, I found ~40 repos that had broken team/repo associations, i.e. per-repo teams that grant access to repositories other than the named one. I expect most of these associations are due to GitHub behavior that added all of a user's teams to a repo they fork or create (one of many reasons why we fork with the bot!). I cleaned most of those up (those repos with 90+ teams associated with them -- no joke -- will need GitHub support involvement).

So, if you lost access to any of these repos today, this is the reason. Please respond to this thread, or ping me on IRC, to get your access restored, if you are a (co)maintainer of any of these:
build-with-parameters-plugin
cloudbees-disk-usage-simple-plugin
ec2-fleet-plugin
exclude-matrix-parent
github-additional-traits-plugin
graphite-plugin
html5-notifier-plugin
icescrum-plugin
image-gallery-plugin
jacoco-plugin
jna
jsch-plugin
jslint-jenkins-plugin
keep-slave-offline-plugin
leiningen-plugin
logging-plugin
Matrix-sorter-plugin
maven-license-plugin
openstack-cloud-plugin
pipeline-build-step-plugin
pipeline-model-definition-plugin
plexus-utils
pubsub-light-module
r-plugin
redmine-plugin
sahagin-plugin
saml-plugin
seleniumhtmlreport-plugin
signal-killer
sse-gateway-plugin
telerik-appbuilder-plugin
updatejob-plugin
upstream-downstream-view-plugin

These three repos have so many team associations that they break the GitHub UI (90-130 teams each), so I'm in contact with GitHub support to fix them:
emmacoveragecolumn-plugin
matrix-reloaded-plugin
selenium-tests

In general, don't reuse the autogenerated teams to set up some sort of manual team/permissions management in GitHub. Create new teams for this that are unambiguously not a autogenerated 'whatever-plugin Developers' team.

Daniel

1: https://groups.google.com/d/msg/jenkinsci-dev/ksKAsmsmVng/lG2lNEaJBQAJ

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7B81C933-C072-431B-96FE-07C1585102BB%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtGfPCi_8r3kOXnL%2B_m%2BN8yURK_hnXqdtqZVCE0UgYyF2g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Daniel Beck

> On 28. Nov 2017, at 17:08, Mark Waite <[hidden email]> wrote:
>
> I seem to have lost the ability to control settings on the git-plugin repository.  Could you add me to a group that has admin permissions for https://github.com/jenkinsci/git-plugin ?

Done. But I'd like to note that you already only had write access when I enumerated granted permissions for the other thread ~20 hours ago, so it's unrelated to this change. I don't know why, the audit log does not track permission changes.

I listed potentially impacted repos and users in https://issues.jenkins-ci.org/browse/INFRA-1421

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4F133975-9A19-45D3-9475-D01F4A4B9599%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Oliver Gondža-2
In reply to this post by Daniel Beck
On 2017-11-28 14:59, Daniel Beck wrote:
> So, if you lost access to any of these repos today, this is the reason. Please respond to this thread, or ping me on IRC, to get your access restored, if you are a (co)maintainer of any of these:

Some of these are maintained by us, please grant access to olivergondza
for:

- exclude-matrix-parent
- openstack-cloud-plugin

And to lvotypko for:

- keep-slave-offline-plugin
- Matrix-sorter-plugin
- upstream-downstream-view-plugin
Thanks
--
oliver

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/05d56740-4290-a79c-f05f-810baeb3e36a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Daniel Beck
Oliver,

I don't understand what you're asking for.

> On 28. Nov 2017, at 20:26, Oliver Gondža <[hidden email]> wrote:
>
> Some of these are maintained by us, please grant access to olivergondza for:
>
> - exclude-matrix-parent

You already have write via Everyone, unchanged from yesterday.

> - openstack-cloud-plugin

You already have admin via per-repo team, unchanged from yesterday.

> And to lvotypko for:
>
> - keep-slave-offline-plugin

She already has write via Everyone, unchanged from yesterday.

> - Matrix-sorter-plugin

I cleaned this one up manually earlier today when removing an unrelated repo's team. She always had write access except perhaps for a minute earlier today.

> - upstream-downstream-view-plugin

This is the only one in which I actually removed access (by removing the 'computer-queue-plugin Developers' team from the repo). I granted it again via bot.

If you're asking for something different, please clarify, ideally in an INFRA issue. Most of this seems unrelated to what I did today.

Thanks!
Daniel

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/E3BAF159-12EA-49FF-9033-057C8E9BAB03%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Daniel Beck
In reply to this post by Daniel Beck

> On 28. Nov 2017, at 14:59, Daniel Beck <[hidden email]> wrote:
>
> These three repos have so many team associations that they break the GitHub UI (90-130 teams each), so I'm in contact with GitHub support to fix them:
> emmacoveragecolumn-plugin
> matrix-reloaded-plugin
> selenium-tests

GitHub support fixed whatever broke the UI for this, and roughly 350 mouse clicks later (still quicker than writing a script for this), some other org members may have lost access to these repos, too.

Added these repos and potentially impacted users to INFRA-1421.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/68AF598D-2FFE-430D-B3F5-3D0053367FF0%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Joseph P
Don't know why I was on so many repos, that I have never touched when looking that INFRA-1421 😕

In any case, I lost my accurev-plugin admin rights a couple of months ago, could I have it back? 😊

Den fredag den 1. december 2017 kl. 07.55.56 UTC+1 skrev Daniel Beck:

> On 28. Nov 2017, at 14:59, Daniel Beck <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="0W64l4JxBQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">m...@...> wrote:
>
> These three repos have so many team associations that they break the GitHub UI (90-130 teams each), so I'm in contact with GitHub support to fix them:
> emmacoveragecolumn-plugin
> matrix-reloaded-plugin
> selenium-tests

GitHub support fixed whatever broke the UI for this, and roughly 350 mouse clicks later (still quicker than writing a script for this), some other org members may have lost access to these repos, too.

Added these repos and potentially impacted users to INFRA-1421.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c129f984-2946-4aa6-9b16-8f87027f26c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Team/repo associations cleanup: You may have lost some permissions today

Daniel Beck

> On 3. Dec 2017, at 20:21, Joseph P <[hidden email]> wrote:
>
> Don't know why I was on so many repos, that I have never touched when looking that INFRA-1421 😕

As I wrote -- wrong team/repo associations. You are a member of a team (or teams) that used to have access to many unrelated repos. Has nothing to do with past activity, just wrong forking/repo creation process.

> In any case, I lost my accurev-plugin admin rights a couple of months ago, could I have it back? 😊

Done. I changed the per-repo team from write to admin: https://github.com/orgs/jenkinsci/teams/accurev-plugin-developers

Further requests should probably filed as INFRA issues, 'github' component. I know I asked for responses to this thread, but issues have the advantage of going straight into my inbox, while not polluting anyone else's ;-)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/800C50E5-F7B9-4A2D-86D6-3AA7F4588959%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.