openQA icon indicating copy to clipboard operation
openQA copied to clipboard
verified publisher icon os-autoinst

A role in between user and operator for workshops and similar

Open lkocman opened this issue 9 months ago • 3 comments

Hello openQA!

We want to do an openQA workshop at the openSUSE conference and one of the little dealbreakers was that users who are not operators can't run openqa-clone-job. Which is crucial for development of test suites.

However, giving people "temporary" access to the operator on our openqa.opensuse.org instance would also mean that they can change machines, and test suites, and that can be damaging especially if all the info is not in git e.g. test suite definitions, machines.

Having an temporarily created elevated user who can call openqa-clone-job but is not able to alter machines/test suites would be much safer. This year, we'll simply allow workshop participants to use only apikey to our dummy user, however, we'd like to have this addressed in the future. Plan is to create such one-off elevated user before workshop and drop user after the workshop, so there would be no "security hole".

This user would also be a nice transition for somebody who wants to start contributing but is afraid to break something.

Alternatively, we could work on a private instance, but that's already a big wall to climb for a beginner.

The end goal is that we'd like to have more new operators coming from the community etc, but we do not want to put our instance in danger in workshop events. Only "trusted" users would get operator rights or above.

Also, any other ideas are highly welcome.

Thank you

lkocman avatar Apr 08 '25 10:04 lkocman

I don't think this would be complicated to implement. We should however ponder how to implement it exactly. The easiest way would be yet another boolean column on the users table, e.g. can_create_jobs (in addition to is_operator and is_admin which we already have). However, this is maybe not the most future-proof way to go. Maybe another integer column permissions which stores flags would be better.

Martchus avatar Apr 08 '25 11:04 Martchus

The proper way to solve that right now is to setup a dedicated openQA instance intended for that purpose. openQA is easy to setup and can clone jobs from one instance to another.

okurz avatar Apr 08 '25 13:04 okurz

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 19 '25 02:07 stale[bot]