Project

General

Profile

Bug #17338

Enforce configuration of roles in Weblate

Added by zen 4 months ago. Updated 4 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
-
Start date:
Due date:
% Done:

100%

Feature Branch:
https://salsa.debian.org/hefee/puppet-tails:hefee/17338-enforce-roles
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:
Translation Platform

Description

I haven't followed previous discussion about this, but there's the idea of enforcing configuration of Weblate roles (as defined in the design doc) through configuration management using Puppet.

Roles are:

  • Anonymous users can suggest.
  • Logged in users can suggest and vote on suggestions.
  • Reviewers can accept suggestions.
  • Admin.

The Puppet code created for this might need to be updated when weblate/django's API changes.

Can someone share some background on this discussion? Was it thought to protect against a specific kind of attack or bug?


Subtasks

Feature #17514: Allow reviewers to delete suggestionsResolved


Related issues

Blocks Tails - Bug #16881: Puppetize critical Weblate configuration Confirmed

History

#1 Updated by zen 4 months ago

@hefee, does this issue capture what we wrote down as "puppetize auth model"?

#2 Updated by zen 4 months ago

  • Assignee set to Sysadmins

#3 Updated by intrigeri 4 months ago

  • Affected tool set to Translation Platform

#4 Updated by intrigeri 4 months ago

Hi!

At first glance, this looks like a subset or duplicate of #16881, but the phrasing here is more detailed and could be used to improve the description of #16881 :)

#5 Updated by hefee 4 months ago

  • Blocks Bug #16881: Puppetize critical Weblate configuration added

#6 Updated by hefee 4 months ago

zen wrote:

@hefee, does this issue capture what we wrote down as "puppetize auth model"?

yes this sounds what I had in mind in regards of "puppetize auth model".

What I have in mind with puppetize is any script that is shipped via puppet and is executed regularly like a cronjob.

#7 Updated by hefee about 1 month ago

  • Status changed from New to Needs Validation
  • Assignee changed from Sysadmins to zen
  • Feature Branch set to https://salsa.debian.org/hefee/puppet-tails:hefee/17338-enforce-roles

#8 Updated by zen about 1 month ago

The current proposed fix for this uses a yaml file to store the desired roles. This yaml file was generated from our current setup. We have to review these roles to make sure they match what we want, and we may also want to remove any roles that Weblate creates but are unneeded for us.

#9 Updated by zen about 1 month ago

Talking to hefee, i expressed a bit of worry about future upgrades breaking this solution, one idea he gave was to always run this on check mode and e-mail if expected roles are different than actual roles.

#10 Updated by zen 5 days ago

  • Status changed from Needs Validation to In Progress
  • Assignee changed from zen to hefee

I have fixed a small typ0 and merged the script as is, to test it. I think it's a good start but still needs some work:

  • Should we check for unexpected Roles? (i.e. roles not in ACL but that exist in Weblate)
  • Same question for Groups.
  • How about we list exactly which Permissions are missing or should not exist for each Role?
  • Same question for Groups and Roles.
  • Looks like any user in a Group not listed in the ACL will trigger a warning. I think there's something wrong there.
  • In the future, it'd be great to be able to list superusers and reviewers in the ACL and have this script configure them automatically.

After looking at the script, I don't have the fear that this will break in the future, for that if it breaks it shouldn't be hard to fix, and I wouldn't expect it to cause much trouble (i.e. give wrong permissions to wrong users).

So I think we can improve the script incrementally until it can actually configure/enfoce the ACL by itself.

Also available in: Atom PDF