Require 2 admin signoffs for changes to permissions

[bhearsum]

Currently, we calculate the signoffs required for changes to permissions by taking the full set of all product signoffs (

balrog/src/auslib/db.py

Line 2658 in 3ed6b80

def getPotentialRequiredSignoffs(self, affected_rows, transaction=None):

). This often means that we need 2, 3, or sometimes even 5 signoffs to make a simple change to permissions.

We should adjust this to require just two signoffs in total. Ideally, it would require them from a full fledged admin (ie: has admin permission without any conditions attached). If this ends up being too difficult (it my - because it moves us from looking at "roles" when checking signoffs to looking at "permissions" -- it also may complicate the UI) -- we could consider hardcoding 2 "releng" signoffs instead. We'd have to evaluate potential security issues before going that route - most importantly, we need to make sure that nobody currently has that role that shouldn't, and cannot be granted it by anybody other than a full fledged admin.