Define explicit policies for who can view CI minute and Duration data
Problem
When working on displaying detailed data about CI minutes usage at group level we realized that the permission policies for allowing a user to see CI minutes usage are scattered and inconsistent.
- For group usage quota page we currently use
admin_group
policy. Adding CI Minutes usage to Analytics puts the data behind a Premium feature so that is not a great solution either.- The second part is being resolved by moving Group > Analytics > CI/CD > Shared Runner Duration to the Free Tier.
- For user usage quota page we don't have any policy checks because that always refers to the
current_user.namespace
which we assume thecurrent_user
always has the right permissions. - We use
read_ci_minutes_quota
policy when we want to display the "buy more CI minutes" banner to the user. - We also display CI minutes data without any permission checks in the build serializer
Proposal
-
Complete the spike Spike: Identify who can see CI Minutes Data (#349201 - closed) -
Do we need a separate policy rule for seeing the details in the usage data? E.g. breakdown of usage per project, Shared runners duration data with breakdown per project, etc. - We decided to keep this issue focused on who can see the Group Usage Quota page and buy minutes.
-
Define explicit CI minutes abilities. E.g. read_ci_minutes_usage
,admin_ci_minutes_usage
(like buying CI minutes for the namespace)- For group usage quota page we currently use
admin_group
policy. - For user usage quota page we don't have any policy checks because that always refers to the
current_user.namespace
which we assume thecurrent_user
always has the right permissions. - We use
read_ci_minutes_usage
policy when we want to display the "buy more CI minutes" banner to the user. - We also display CI minutes data without any permission checks in the build serializer
- For group usage quota page we currently use
-
Use the explicitly defined rules in the code. - Introduce
admin_ci_minutes
and allow users who haveadmin_group
permissions or are owner of a user namespace (current_user.namespace
) - Supports (1) and (2) above. Could it also support (3) given that the same users are those who can buy CI minutes?
- Introduce
read_ci_minutes_summary
to support (4)
- Introduce
Edited by Allison Browne