diff --git a/config.py b/config.py index f1d73f96..fb9844c8 100644 --- a/config.py +++ b/config.py @@ -17,6 +17,7 @@ class BaseConfiguration(object): KOJI_CONFIG = '/etc/module_build_service/koji.conf' KOJI_PROFILE = 'koji' KOJI_ARCHES = ['i686', 'armv7hl', 'x86_64'] + KOJI_PROXYUSER = True COPR_CONFIG = '/etc/rida/copr.conf' PDC_URL = 'http://modularity.fedorainfracloud.org:8080/rest_api/v1' PDC_INSECURE = True @@ -70,6 +71,10 @@ class DevConfiguration(BaseConfiguration): LOG_BACKEND = 'console' LOG_LEVEL = 'debug' HOST = '0.0.0.0' + + # This requires that your principal be listed server side in ProxyPrincipals. + KOJI_PROXYUSER = False + REQUIRE_PACKAGER = False # You only need these FAS options if you turn on authorization # with REQUIRE_PACKAGER=True diff --git a/module_build_service/builder.py b/module_build_service/builder.py index 98a42228..489f2323 100644 --- a/module_build_service/builder.py +++ b/module_build_service/builder.py @@ -411,6 +411,12 @@ chmod 644 %buildroot/%_rpmconfigdir/macros.d/macros.modules user_config=config.koji_config, )) + # In "production" scenarios, our service principal may be blessed to + # allow us to authenticate as the owner of this request. But, in local + # development that is unreasonable so just submit the job as the + # module_build_service developer. + proxyuser = owner if config.koji_proxyuser else None + address = koji_config.server log.info("Connecting to koji %r" % address) koji_session = koji.ClientSession(address, opts=koji_config) @@ -425,12 +431,7 @@ chmod 644 %buildroot/%_rpmconfigdir/macros.d/macros.modules principal=principal, keytab=keytab, ccache=ccache, - # Unfortunately, the proxyuser method requires that we add all - # of the modularity developers to the ProxyDNs entry in the - # staging koji-hub config, and that's just not going to happen. - # We get to re-work this in this ticket anyways, - # https://pagure.io/fm-orchestrator/issue/112 - #proxyuser=owner, + proxyuser=owner, ) else: koji_session.krb_login(ccache=ccache) @@ -439,12 +440,7 @@ chmod 644 %buildroot/%_rpmconfigdir/macros.d/macros.modules os.path.expanduser(koji_config.cert), None, os.path.expanduser(koji_config.serverca), - # Unfortunately, the proxyuser method requires that we add all - # of the modularity developers to the ProxyDNs entry in the - # staging koji-hub config, and that's just not going to happen. - # We get to re-work this in this ticket anyways, - # https://pagure.io/fm-orchestrator/issue/112 - #proxyuser=owner, + proxyuser=owner, ) else: raise ValueError("Unrecognized koji authtype %r" % authtype) diff --git a/module_build_service/config.py b/module_build_service/config.py index 39d1a190..1b5ae3e2 100644 --- a/module_build_service/config.py +++ b/module_build_service/config.py @@ -54,6 +54,7 @@ class Config(object): self._koji_config = None self._koji_profile = None self._koji_arches = None + self._koji_proxyuser = None self._koji_build_priority = 10 self._koji_repository_url = None self._rpms_default_repository = "" @@ -229,6 +230,15 @@ class Config(object): def koji_arches(self, s): self._koji_arches = list(s) + @property + def koji_proxyuser(self): + """Koji proxyuser flag.""" + return self._koji_proxyuser + + @koji_proxyuser.setter + def koji_proxyuser(self, s): + self._koji_proxyuser = bool(s) + @property def koji_repository_url(self): return self._koji_repository_url