The garbage collector deletes builds. This is an admin-only action. It also uses untagBuildBypass, which was originally admin-only, but now works with the tag permission. Note that koji-gc does not normally use the force option for untagging. Due to a quirk in the tag access check, koji-gc will fail to untag from tags that require a permission it does not have (even if it has admin), so it needs to have any perms that are routinely used for tag access. Clearly this is kind of obtuse and we probably ought to make it simpler ;)

On Fri, Apr 24, 2020 at 3:52 PM Ken Dreyer <ktdreyer(a)ktdreyer.com <mailto:ktdreyer@ktdreyer.com>> wrote: Hi folks, We don't currently document the permissions that koji-gc requires at https://docs.pagure.org/koji/utils/#garbage-collector In Fedora the garbage collector user is "oscar", and it has the following groups: $ koji --noauth call getUserPerms oscar ['admin', 'infra', 'autosign'] That seems like a lot of high permissions. Are they all necessary? - Ken _______________________________________________ koji-devel mailing list -- koji-devel(a)lists.fedorahosted.org <mailto:koji-devel@lists.fedorahosted.org> To unsubscribe send an email to koji-devel-leave(a)lists.fedorahosted.org <mailto:koji-devel-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahoste... _______________________________________________ koji-devel mailing list -- koji-devel(a)lists.fedorahosted.org To unsubscribe send an email to koji-devel-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahoste...