Page MenuHomePhabricator
Create Task
Maniphest T293741

Create top level 'cloud' group on Gitlab
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

We have a 'cloud' namespace on gerrit that would be good to replicate on Gitlab.

This group, if possible, would host other subgroups later on:

  • cloud/toolforge/*
  • cloud/paws/*
  • cloud/quarry/*
  • etc

Related Objects

Event Timeline

aborrero created this task.Oct 19 2021, 10:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2021, 10:01 AM
aborrero moved this task from Auth & Access to Inbox on the GitLab board.Oct 19 2021, 10:03 AM
aborrero edited projects, added GitLab; removed GitLab (Auth & Access).
taavi added a project: cloud-services-team.Oct 19 2021, 10:06 AM
taavi removed a subscriber: cloud-services-team.
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptOct 19 2021, 10:06 AM
brennen moved this task from Inbox to Auth & Access on the GitLab board.Oct 19 2021, 11:16 PM
brennen edited projects, added GitLab (Auth & Access); removed GitLab.
dcaro subscribed.Oct 20 2021, 8:32 AM
brennen changed the task status from Open to Stalled.Oct 22 2021, 6:58 PM
brennen added projects: Release-Engineering-Team, User-brennen.
brennen subscribed.

Pending some decisions about top-level group under T292094#7442275.

hashar moved this task from INBOX to Next on the Release-Engineering-Team board.Oct 23 2021, 8:32 AM
hashar edited projects, added Release-Engineering-Team (Next); removed Release-Engineering-Team.
brennen moved this task from Next to Priority Backlog 📥 on the Release-Engineering-Team board.Nov 10 2021, 6:26 PM
brennen edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (Next).
brennen changed the task status from Stalled to Open.Nov 10 2021, 6:39 PM
brennen set the point value for this task to 1.
brennen moved this task from Priority Backlog 📥 to Done by Wed 24 Nov 🧟 on the Release-Engineering-Team board.
brennen edited projects, added Release-Engineering-Team (Done by Wed 24 Nov 🧟); removed Release-Engineering-Team (Priority Backlog 📥).
brennen claimed this task.Nov 10 2021, 6:41 PM
brennen closed this task as Resolved.Nov 18 2021, 8:44 PM

I've created:

wmf-team-cloud-services currently grants ownership of /repos/cloud; @aborrero and other folks from Cloud Services who I could find existing GitLab accounts for are owners of the people group. You should be able to self-serve repository creation and group membership, but please let me know if there's anything I can help with.

brennen moved this task from Backlog to Done or Declined on the User-brennen board.Nov 18 2021, 8:44 PM
brennen moved this task from Backlog to Done on the Release-Engineering-Team (Done by Wed 24 Nov 🧟) board.
taavi subscribed.Nov 18 2021, 8:54 PM
In T293741#7515010, @brennen wrote:

I've created:

wmf-team-cloud-services currently grants ownership of /repos/cloud; @aborrero and other folks from Cloud Services who I could find existing GitLab accounts for are owners of the people group. You should be able to self-serve repository creation and group membership, but please let me know if there's anything I can help with.

What about us who have advanced access on WMCS but don't work for the WMF? Which group should we be in?

brennen reopened this task as In Progress.Nov 19 2021, 1:33 AM
brennen moved this task from Done or Declined to Doing on the User-brennen board.

What about us who have advanced access on WMCS but don't work for the WMF? Which group should we be in?

In the scheme we sketched out at Policy#User_Groups, I think that should probably be volunteer-group-cloud-admin. I've created that and given it Maintainer-level access to repos/cloud. Does that seem about right to everybody?

brennen triaged this task as Medium priority.Nov 19 2021, 1:39 AM
aborrero added a comment.Nov 19 2021, 9:25 AM

Thanks!

I tried creating a subgroup:

https://gitlab.wikimedia.org/repos/cloud/toolforge

I was able to add the WMCS staff group wmf-team-cloud-services to this subgroup:

https://gitlab.wikimedia.org/groups/repos/cloud/toolforge/-/group_members?tab=groups

Perhaps out of scope for this particular ticket, but I was unable to give permissions to volunteer-group-cloud-admin.

Or is there some kind of inheritance from the parent group?

brennen added a comment.Nov 19 2021, 6:44 PM

Or is there some kind of inheritance from the parent group?

One thing that's non-obvious - and that we should probably try to make extremely clear to folks - is that if you're a member of a parent group, you're a member of all groups it contains. (This is why we aren't using something with hierarchy like people/wmf/team-cloud-services to model things.)

I had expected that this worked the same for groups, and that anyone in both people/wmf-team-cloud-services and people/volunteer-group-cloud-admin should already have been an owner in cloud/toolforge, but I guess maybe this only holds for direct members of a group:

https://docs.gitlab.com/ee/user/group/#share-a-group-with-another-group

Similar to how you share a project with a group, you can share a group with another group. Members get direct access to the shared group.

Impersonating your user, I can reproduce not being able to autocomplete people/volunteer-group-cloud-admin in the group invite field. I'm guessing this is because you're not a member of it.

I'll need to dig into this a bit more.

brennen added a comment.Nov 19 2021, 6:56 PM

(Added people/volunteer-group-cloud-admin as maintainers in the meanwhile.)

nskaggs moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.Jan 10 2022, 10:45 PM
brennen moved this task from Auth & Access to Project Migration on the GitLab board.Jan 31 2022, 10:25 PM
brennen edited projects, added GitLab (Project Migration); removed GitLab (Auth & Access).
brennen mentioned this in T296381: Create new GitLab project group: Generated Data Platform.Feb 3 2022, 10:51 PM
brennen mentioned this in T300935: Investigate what's required to allow a user to fork or transfer a project to a group.Feb 3 2022, 11:15 PM
brennen closed this task as Resolved.Feb 3 2022, 11:43 PM
brennen mentioned this in T300939: GitLab group permissions are not inherited by sub-groups for groups of users invited to the parent repo.
brennen moved this task from Doing to Done or Declined on the User-brennen board.

I'll need to dig into this a bit more.

Filed T300939 for that.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL