Red Hat Bugzilla – Bug 807616
RFE: Read-only checkout of a project
Last modified: 2014-10-19 19:00:38 EDT
Can we get a read-only checkout of a project.
This will be useful for tutorials, and for investigating without inadvertently changing something.
The lowest hanging fruit might be simply to do something like:
csprocessor export <SPECID>
and it does a csprocessor checkout, only it also writes:
in the csprocessor.cfg file.
Then whenever the user runs
If the csprocessor.cfg contains "ACCESS: readonly" then it declines and says: "Project is read-only".
This would make the tutorials a lot safer. Especially since tutorials are going to be executed by people who don't know what they are doing, the last thing we need is people continually overwriting the demo material by accidentally pushing a read-only tutorial back to the server.
That would be a maintenance/administration nightmare for me, and would make the tutorials useless for people if the content specs they rely on are broken.
While I do agree that a read only ability is a good idea. Putting it as plain text like that in the csprocessor.cfg seems like a bad design pattern because its far too easy to change. Also as another example what if the user does csprocessor push <FILE> then that breaks the given example.
The best solution would be to have a property server sided that specifies who or what role can modify the content specification. That however is part of the authentication mechanisms which have yet to be done and won't be until Skynet gets it's sorted out.
So possibly for a temporary solution the ACCESS: readonly will do. Another possibility is to add a Property Tag in Skynet that defines the CSP is readonly and can only be altered by the creator (or possibly a list of users who are permitted). The issue with this is that the property tag can easily be removed in Skynet.
Yes, I concur with all your observations. Real security is still some way off.
This RFE is less about "preventing deliberate circumvention" than it is about "protecting new users from inadvertent mistakes by pressing the wrong button".
Making the tutorial content specs read-only with a server-side flag would protect them nicely.
An export command that set a client-side "readonly" switch would enable people to check out various projects and build them for previewing purposes, and protect them from accidentally pushing them (for example by executing the push command in the wrong terminal window).
Added the basic implementation in 0.23.0.
There is a Property Tag called "CSP Read Only" setup in skynet. To use it add the property to the Content Spec that you want as read only. To specify users that can edit it set the value of the property to include a comma separated list of users.
See: http://skynet.usersys.redhat.com:8080/TopicIndex/Topic.seam?topicTopicId=7272 for an example
Then when you attempt to validate or push the content specification you will get the following error message "ERROR: Invalid Content Specification! The content specification is read-only."
1. Find your Content Spec in the web interface. Click on "Edit and Tag" in the context menu.
2. Go to the Properties Tab.
3. In the Properties Name tab, drop down the combo box and select "- CSP Read Only"
4. Optionally: add a comma-separated list of usernames of users who will be able to edit the Content Spec, in the "Value" field.
5. Click the "Add" button.
6. Click the "Update" button.
Closing and setting as current release as no QA was performed by the original reporter. If there is still an issue with this bug still than please re-open it.