Launchpad itself

FAILED: alfresco-community (You have no rights to accept component(s) 'partner')

Bug #530180 reported by Dustin Kirkland 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Michael Nelson
Launchpad itself 10.03

Bug Description

I should be able to accept a new source package for Canonical's Partner archive.
 * https://edge.launchpad.net/ubuntu/karmic/+queue

However, I can't with error message:

 * FAILED: alfresco-community (You have no rights to accept component(s) 'partner')

Related branches

lp:~michael.nelson/launchpad/530180-partner-permissions
Graham Binns (community): Approve (code)
Diff: 473 lines (+257/-51)
8 files modified
lib/canonical/launchpad/security.py (+2/-1)
lib/lp/soyuz/browser/queue.py (+1/-1)
lib/lp/soyuz/browser/tests/test_queue.py (+191/-0)
lib/lp/soyuz/doc/archivepermission.txt (+3/-2)
lib/lp/soyuz/interfaces/archivepermission.py (+2/-1)
lib/lp/soyuz/model/archivepermission.py (+12/-7)
lib/lp/soyuz/stories/soyuz/xx-queue-pages.txt (+42/-35)
lib/lp/soyuz/tests/test_publishing.py (+4/-4)
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Aw man, this is terrible code in the validation. Sorry Dustin :/

From lib/lp/soyuz/browser/queue.py:
        permissions = permission_set.componentsForQueueAdmin(
            self.context.main_archive, self.user)

Yes, it hard-codes the main_archive.

Changed in soyuz:
status: New → Triaged
importance: Undecided → High
milestone: none → 10.03
tags: added: queue-page
Michael Nelson (michael.nelson)
Changed in soyuz:
status: Triaged → In Progress
assignee: nobody → Michael Nelson (michael.nelson)
Revision history for this message
Michael Nelson (michael.nelson) wrote :

Having written tests to demonstrate the problem, I actually wasn't able to, so I checked the permissions:

17:50 < noodles> bigjools: can you run the following on staging for me to confirm whether it gives the same results as dogfood? https://pastebin.canonical.com/28854/
17:51 < bigjools> partner | partner | canonical-partner-dev
17:51 < bigjools> primary | partner | ubuntu-archive
17:51 < noodles> Thanks. So there's the problem.
17:52 < bigjools> ha

So the permission for ubuntu-archive with partner-component needs to be on the partner archive, not the primary archive. That should fix Dustin's problem.

I'll still land my branch as it has some extra tests, and will also ensure that a user can just administer, for example, the partner archive queue (currently the logic as shown in bigjools' snippet above) assumes that the person already has queue admin rights on the main archive (which Dustin has) before checking the specific items.

Revision history for this message
Ursula Junque (ursinha) wrote : Bug fixed by a commit

Fixed in stable r10475 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10475>

Changed in soyuz:
status: In Progress → Fix Committed
tags: added: qa-needstesting
Revision history for this message
Michael Nelson (michael.nelson) wrote :

OK, I've QA'd the actual change I made (enabling a person who *only* has queue admin rights on partner to be able to accept partner packages), but remember, the original issue here that Dustin had is actually an incorrect permission (comment #2 above).

So, steps for QA:

1. Uploaded a new version of pocketsphinx to universe and processed uploads on dogfood:
{{{
$LPCURRENT/scripts/process-upload.py -C insecure -v $QUEUE -a <email address hidden>
}}}

2. used the queue tool to override to partner:
{{{
scripts/ftpmaster-tools/queue --queue=unapproved --component=partner --exact-match override source pocketsphinx
}}}

3. Ensured via a console that I only have queue admin on partner:
{{{
In [30]: permission_set.componentsForQueueAdmin(primary, me).count()
Out[30]: 0

In [31]: permission_set.componentsForQueueAdmin(partner, me)[0].component.name
Out[31]: u'partner'
}}}

4. Successfully accepted the partner upload at https://dogfood.launchpad.net/ubuntu/lucid/+queue?queue_state=1

tags: added: qa-ok
removed: qa-needstesting
Michael Nelson (michael.nelson)
Changed in soyuz:
status: Fix Committed → Fix Released
Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 530180] Re: FAILED: alfresco-community (You have no rights to accept component(s) 'partner')

Hmm, I just tried this for another package in Partner and I got the
same error message.

FAILED: swftools (You have no rights to accept component(s) 'partner')

Is this fix already supposed to be on Edge?

:-Dustin

Revision history for this message
Michael Nelson (michael.nelson) wrote :

Hi Dustin,

As in comment 2 above, the original problem seemed to be an incorrect permission:
https://bugs.edge.launchpad.net/soyuz/+bug/530180/comments/2

The actual issue you were reported was because the partner-component permission for the ubuntu-archive team was on the *primary* archive, rather than the partner archive. If this permission has been fixed and you still experience this problem, please let us know.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hi all-

I'm still experiencing this problem on edge.launchpad.net, as of today.

Changed in soyuz:
status: Fix Released → Confirmed
Revision history for this message
Michael Nelson (michael.nelson) wrote :

Hi Dustin,

Please read the above comments when you have a chance. As noted in comment 2 above, the issue is that you do not have permission to do so - you are not in a team that has permission for the partner component of the partner archive. The only team which has this permission is canonical-partner-dev which (at the moment) you are not a member of afaics.

You are a member of ubuntu-archive, but it has an *incorrect* permission (for the partner component of the *primary* archive). I've checked this again this morning, and the permission is still incorrect as shown below:

{{{
08:26 < noodles> Hi losa, could you please paste the results of https://pastebin.canonical.com/31385/ for m?
08:27 < spm> for 'm'? have we started working for MI6?
08:27 < noodles> ;)
08:27 * spm huge james bond fan....
08:29 < spm> archive_name | component_name | team_name
08:29 < spm> --------------+----------------+-----------------------
08:29 < spm> partner | partner | canonical-partner-dev
08:29 < spm> primary | partner | ubuntu-archive
08:29 < spm> (2 rows)
}}}

It may require an RT to sort out the permission for ubuntu-archive, I'll find out today who is able to set these permissions and try to get that sorted, but it's not (yet) a bug in Launchpad code, until we have the right permissions and can still demonstrate it. So, I'll comment here when the permission issue has been fixed.

Changed in soyuz:
status: Confirmed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

I've fixed the permissions:

  $ ./edit_acl.py -p ubuntu-archive query
  == All rights for ubuntu-archive ==
  Queue Administration Rights for ubuntu-archive: archive 'primary', component 'main'
  Queue Administration Rights for ubuntu-archive: archive 'primary', component 'restricted'
  Queue Administration Rights for ubuntu-archive: archive 'primary', component 'universe'
  Queue Administration Rights for ubuntu-archive: archive 'primary', component 'multiverse'
  Queue Administration Rights for ubuntu-archive: archive 'partner', component 'partner'

Please retry.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.