ActionNotAllowed: policy violation - but why?
Mike Bonnet
mikeb at redhat.com
Fri May 8 15:11:04 UTC 2009
Steve Traylen wrote:
> On Fri, May 8, 2009 at 4:04 PM, Mike Bonnet <mikeb at redhat.com> wrote:
>> Steve Traylen wrote:
>>> On Fri, May 8, 2009 at 11:52 AM, Steve Traylen <steve at traylen.net> wrote:
>>>> Hi,
>>>>
>>>> I was reliably building on a tag before but now receive
>>>> ActionNotAllowed: policy violation
>>> A little bit more.
>>>
>>> ActionNotAllowed: policy violation -- all :: deny
>> What version of Koji are you running? I believe there was a bug in earlier
>> versions that caused a missing "policy" entry in /etc/koji-hub/hub.conf to
>> result in denials of everything. That should be fixed in 1.3.1.
>> Alternately you could add a policy entry to allow building from srpm into
>> the dist-centos4 tag:
>>
>> [policy]
>> build_from_srpm =
>> tag dist-centos4 :: allow
>> has_perm admin :: allow
>> all :: deny
>>
> Hi Mike,
>
> I'm running stock FC10.
> koji-hub-1.3.1-1.fc10.noarch
> koji-1.3.1-1.fc10.noarch
> koji-web-1.3.1-1.fc10.noarch
> koji-utils-1.3.1-1.fc10.noarch
> koji-builder-1.3.1-1.fc10.noarch
>
> I've not had had any [policy] in the hub.conf file up to now
> and things have been okay, i.e I could build from cvs and svn
> for instance which I did yesterday. It's just building from srpm that has
> been blocked but I have not tried that in a while so that may have been the
> before the recent upgrade.
Actually I was wrong, if no policy is present the default policy forbids
building from srpm by anyone but an admin (this is for consistency with
previous versions of Koji). But this is now overrideable with custom
policy, whereas it was hard-coded before.
> Certainly making a very open policy
>
> [policy]
> build_from_srpm =
> tag dist-centos4 :: allow
> has_perm admin :: allow
> all :: all
>
> and then things proceed, I'll tune that now.
>
> More generally now about policies. Do you have some description on these
> and what can be set? If nothing exists if you can give me something brief then
> I'll try and write something up for the wiki.
Unfortunately the policy stuff is not well-documented at the moment, but
we're working on fixing that. It is actually a very powerful mechanism
that allows you to control what types of source repositories you can
build from, setup elaborate building and tagging policy, etc. We'll get
some basic documentation onto the fedoraproject.org wiki soon, and any
help expanding on it at that point would be appreciated.
> As it happens I'm giving a presentation in a weeks time to my colleagues
> on mock, koji and mash and certainly any content (e.g diagrams) I produce I'll
> write up in a generic way for inclusion in documentation.
That'd be great!
> Thanks again
>
> Steve
>
>
>
>
>>> Steve
>>>
>>>> and can't seem shake it or understand why for a particular package
>>>> Is is possible
>>>> to get an explanation?
>>>>
>>>> http://skoji.cern.ch/koji/taskinfo?taskID=2918
>>>>
>>>> This is following a build as CN=straylen
>>>>
>>>> koji build --nowait dist-centos4 ../SRPMS/mpich-1.2.7p1-2.el4.src.rpm
>>>>
>>>> My permissions.
>>>>
>>>> id | name | password | status | usertype | krb_principal
>>>> ----+----------+----------+--------+----------+---------------
>>>> 1 | straylen | | 0 | 0 |
>>>>
>>>> and user_id=1 does not appear in user_perms . i.e I am
>>>> a boring user.
>>>>
>>>> The package has been added.
>>>>
>>>> koji list-pkgs --tag=dist-centos4 --package=mpich
>>>> Package Tag Extra Arches Owner
>>>> ----------------------- ----------------------- ----------------
>>>> ---------------
>>>> mpich dist-centos4 straylen
>>>>
>>>>
>>>> Thanks again for the help.
>> --
>> Fedora-buildsys-list mailing list
>> Fedora-buildsys-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>>
>
>
>
More information about the Fedora-buildsys-list
mailing list