Running arbitrary ruby tasks

Problem to solve

When trying to automate various tasks, engineer often run into product limitations. To overcome these issues, we often have to bend boundaries of product by modifying it. In some cases these modifications make sense to be shared on public. In other cases implementing them to core product doesn't make any sense. Currently in GitLab we have option to run arbitrary code from command line by administrators. Allowing non-administrators to run the code written by administrators, requires building a custom interface with authentication/authorization etc. Scheduling tasks that should not run in parallel is unreasonably hard on HA-environments. CPU overhead of running simple task is huge and due to overhead and therefore execution of rather simple tasks takes quite a bit of time.

Intended users

Administrators that are willing to take the risk involved in running custom unsupported code. Developers that are supported by administrators by granting them right to run reviewed code.

Further details

Proposal

Administrators are granted permission to store custom ruby code/scripts in database. Scripts are exposed as runnable tasks. Tasks are controlled by user privileges. Both an API and UI-component are exposed for creating/modifying tasks, triggering a task and polling for task status. When completed, task may return a custom value (hash), when triggered through API. Rendering response as HTML in UI is beyond the scope of this proposal.

Permissions and Security

Administrators have permission to manage tasks and related permissions.

Proposed behavior is consistent between API and UI.

Documentation

Testing

Running arbitrary code may cause unexpected side-effects that are beyond scope of any support. Considering the feature is potentially dangerous, it should not be enabled by default.

What does success look like, and how can we measure that?

User can run a custom administrator defined ruby task with both API and UI.

Links / references