New issue
Advanced search Search tips
Starred by 1 user
Status: Released
Owner: ----
Closed: Jul 2014



Sign in to add a comment
global admin capability to modify user accounts
Project Member Reported by zaro0...@gmail.com, Jul 19 2014 Back to list
We have setup a "Third Party CI" group.  The group contains user accounts (all bots) that trigger on changes in our Gerrit repo, run tests externally, then reports back to our Gerrit.  

Here's an example: https://review.openstack.org/#/c/107486/

You will notice that "XenServer CI" and "turbo-hipster" are accounts in the "Third Party CI" group.  Our Third Party CI group is starting to become pretty large so we want to delegate account management of this group  to a specific person (gerrit user).  This user is not an administrator nor a project owner, just a Registered user with permission to modify account settings. 

Currently Gerrit doesn't support this use case.  I would like to request for a global admin capability ACL [1] to allow groups to manage accounts.  Maybe something similar to 'Create Account', except it would be 'Modify  Account.

[1] https://review.openstack.org/Documentation/access-control.html#global_capabilities
 
Project Member Comment 1 by david.os...@gmail.com, Jul 20 2014
Status: AwaitingInformation
As discussed on dev ML thread, the appropriate way to
achieve what you want is to write a plugin or use/extend
already existing serviceuser plugin. Plugins can provide
plugin owned capabilities that can be granted to users
from Gerrit UI as normal (core) capabilities.

For example serviceuser plugin provides own
'Create Service User' capability [1].

[1] https://gerrit.googlesource.com/plugins/serviceuser/+/master/src/main/resources/Documentation/cmd-create.md
Project Member Comment 2 by zaro0...@gmail.com, Jul 21 2014
Yes, you are right.  The service user plugin can address this use case.  However it doesn't address the general use case of allowing a user (or group) to modify any other user (or group) account.   I'm wondering why not just have a global capability in Gerrit core that allows one group to modify all other user accounts?  There are already capabilities to create account, create group, and view accounts.  Would it not make sense to add a "modify accounts" capability?  This capability could allow Gerrit admins to modify all other accounts/groups which Gerrit cannot do right now.
Labels: FixedIn-2.11
Status: Submitted
Status: Released
Comment 6 Deleted
Sign in to add a comment