RBAC for ChatOps MVC
We need a better solution for RBAC in our ChatOps functionality. Today we rely on the user having to add their own checks within the job script which is difficult to update, error prone, and susceptible to having the underlying user variables overridden.
We should instead make RBAC a first class citizen for ChatOps, rather than relying on this to be constructed in each job.
MVC Proposal:
- Configuration option to define the minimum project role required to access jobs. (Owner/Master/Developer/Guest)
- An option to add a user or user group to the access list, even if they do not otherwise meet the minimum required access level. They must still have at least guest access to the project.
This would at least provide some additional control, even though it is global across all jobs in the project. The next step after this would be per-job overrides of the above default.