Introducing TeamForge Project Scope into Gerrit – Welcome to cross repo dashboards and RBAC

If you ever wondered how

  • you can see Gerrit change requests of different repositories but same TeamForge project in one dashboard/report

  • you can assign custom Gerrit access rights to project role so that they apply to all Git repositories within the same TeamForge project

  • you can make a Git repository visible to all project members of this TeamForge project but not to all members of the entire site (default access permissions)

… read on.

Fortunately, our blog posts are not just a one way street, unidirectional information broadcasting mechanism. We are listening to your comments and will turn your feedback into new features. This blog is about a feature “TeamForge project scope in Gerrit” that initiated out of multiple blog comments, support tickets and conversations with customers.

We often got approached regarding our Eclipse Desktop and GitEye which allow you to see Gerrit changes/reviews across repositories, grouped by TeamForge project.

GitEye Cross Project Query for Gerrit Changes

In the screenshot above, you can see changes out of two different Git repos (teamforge-git-integration and gerrit-workflow) which reside in the same TeamForge project (Git Integration Development). Users asked whether we could have a similar functionality directly in Gerrit Web UI and we are happy to show how this looks like in the two following screenshots.

Cross-repo dashboards in Gerrit Web UI

In all Gerrit projects, you can now click on the Dashboards section and see four dashboards which group all changes of the parent TeamForge project. If you click on All Changes Open, you will see something like this:

All Open reviews in TeamForge Project Git Integration Development

This screenshot is similar to the Eclipse/GitEye one, showing Open reviews out of gerrit-workflow and teamforge-git-integration.

To implement those dashboards, we had to tell Gerrit what it means for two repositories to be in the same TeamForge project. We did that by introducing Gerrit parent projects which map to TeamForge projects. The following screenshot shows some of those projects (they are named by TeamForge project id as Gerrit projects need an immutable name, the more human readable TF project path is shown as project description).

Gerrit parent projects corresponding to TeamForge projects

 

All Git repositories that belong to the same TeamForge project will be children of the corresponding project in Gerrit and inherit both access rights and dashboards.

Did I just say inheriting access rights? That’s right, you can now define custom Gerrit access rights that inherit down to all Git repositories of the same TeamForge project which brings us to another frequently asked feature. Let’s have a look at the default access rights in a Gerrit parent project:

Default Gerrit access rights on parent project

 As you can see, we have introduced some new groups, which contain all TeamForge project admins / project members  of that TeamForge project. Only TeamForge project admins can add custom access rights at this level. As a side effect, they can now also change access rights on all contained Git repositories without needing SCM Admin permissions any more. TeamForge Project members get access to the dashboards we have discussed above.

As a project admin, you can now go ahead and add additional access rights here which will inherit down to all Git repos in this TeamForge project. Want to grant Push Merge Commit access rights to all members of the Developer role for all Git repositories in TeamForge project Git Integration Development? The next screenshot shows you exactly that.

Grant cross repo access to TeamForge project role

Of course, you can also use the newly introduced project admin and project member groups on the individual repository level. Let’s say you like to grant all TeamForge project members of Git Integration Development (project id proj1012) read access to the gerrit-workflow repository. The next screenshot shows how this would look like.

Default access permissions on TeamForge Git repo

These are just some examples what you can do with the new Gerrit project hierarchy and groups, we are sure you will see how to realize any kind of default access permission scheme with that approach.

Some technical details at the end:

The features described are available from TeamForge Git Integration 8.1.4 on. There is no need to reboot TeamForge to upgrade Gerrit. If you do a fresh install, the feature will be enabled by default. If you do an upgrade you have to edit gerrit.config and add

syncTeamForgeProjectHierarchy = true

in the [teamforge] config section (and restart Gerrit).

If you decided to disable the features again

teamforge.syncTeamForgeProjectHierarchy = false

the created TeamForge parent projects will not be deleted but affiliation for project membership and project admin groups will no longer be calculated and any operations affecting project hierarchies (like moving a Git repository to a different TeamForge project) will be ignored.

Let’s hope you will never want to disable those features again though. If you have any feedback, just drop a comment.

Johannes Nicolai

Johannes Nicolai is CollabNet’s Development Manager leading all Git and Gerrit related development efforts. Furthermore, he is responsible for CollabNet Connect /synch, CollabNet’s platform to integrate TeamForge with third party ALM platforms. Johannes holds a Master of Science in IT Systems Engineering from Hasso Plattner Institut Potsdam and is a Certified Scrum Master. Before joining CollabNet five years ago, he was doing consulting on user centric design, developing cryptographic software and architecting SAP integrations. He is an Open Source enthusiast and contributes to many projects (check out https://www.ohloh.net/accounts/10619 for details).

Posted in Git, TeamForge
5 comments on “Introducing TeamForge Project Scope into Gerrit – Welcome to cross repo dashboards and RBAC
  1. Sebastian S. says:

    A question: are these dashboards also created if the TeamForge project has only a single GIT repository?

  2. Yes, in this case the dashboard will show you the same as the individual repo queries.

    • Sebastian S. says:

      Is this also the case, if the gerrit/git repos has been created with teamforge-git-integration version 8.0.x ? We recently upgraded the teamforge-git-integration to latest 8.4.x, but don’t see dashboards for our “old” git repos in gerrit.

  3. Are you saying you do see dashboards for your “new” repositories now (and just not for the old ones) or are you saying you do not see those dashboards at all?

    If you mean the latter, please check whether your gerrit.config contains an entry for project hierarchy support (see last section of this blog how to turn this on).

  4. Sebastian S. says:

    Thanks! That was the problem – already had this property in gerrit.config, but there was a little typo. Works like a charm now.

Leave a Reply

Your email address will not be published. Required fields are marked *

*