Breaking change: Update API permissions for Package settings to Maintainer/Owner

Context

The GitLab Package stage offers a Package Registry, Container Registry, and Dependency Proxy to help you manage all of your dependencies using GitLab. Each of these product categories has a variety of settings that can be adjusted using the API. Currently these settings require Developer+ permissions.

Problem to solve

Some of these settings like cleanup policies will permanently delete dependencies, which is quite a destructive action. After doing competitive research, most other companies limit these settings to Maintainer/Owner users.

Proposal

Update the permissions level of the GitLab API to require Maintainer/Owner level permissions to CRUD any Package stage-related settings.

Settings

1. Mutation.updateNamespacePackageSettings
2. PackageSettings
3. DependencyProxySetting
4. DependencyProxyImageTtlGroupPolicy
5. Mutation.updateDependencyProxySettings
6. ContainerExpirationPolicy

Validation notes

When working on the Package Settings, it is crucial to validate all the related security issues get fixed. See #322055 (comment 862775425)

added to epic &6726 (closed)

changed the description

@michelletorres @vdesousa @katiemacoy FYI

@trizzi this change makes sense to me

Glad to see this planned

changed milestone to %15.0

added Category:Container Registry Category:Package Registry Category:Dependency Proxy api breaking change devopspackage grouppackage registry permissions typemaintenance labels

changed due date to February 11, 2022

Setting a due date for myself to add this to the deprecations/removals docs

added sectionops label

added [deprecated] Accepting merge requests label

created merge request !79289 (closed) to address this issue

mentioned in merge request !79289 (closed)

Admin Level is meant in project/group context, so Members with Maintainer/Owner Access Level and not instance administrators, right?

That's true @Taucher2003, I mistakenly said Admin. I updated the issue description accordingly. Thanks for the correction on this!

changed title from Breaking change: Update API permissions for Package settings to Admin to Breaking change: Update API permissions for Package settings to Maintainer/Owner

changed the description

mentioned in issue #322055 (closed)

marked this issue as related to #322055 (closed)

mentioned in epic &7593 (closed)

changed the description

changed the description

created branch 350682-breaking-change-update-api-permissions-for-package-settings-to-maintainer-owner to address this issue

mentioned in merge request !82646 (merged)

Deprecation notice: !82646 (merged)

mentioned in issue #357047 (closed)

added Package:P1 label

set weight to 1

set weight to 2

added backend ruby labels

The changes involved are a weight 1, but since there are 6 potential places to update, I've made the weight 2 to account for any refactoring or MR splitting that may need to occur.

added workflowready for development label

Labeling this as Deliverable for %15.0

~"group::package" use this label on issues that the team commits to during the milestone

added Deliverable label

mentioned in issue gitlab-org/quality/triage-reports#7175 (closed)

mentioned in issue gitlab-org/quality/triage-reports#7249 (closed)

mentioned in merge request !85446 (merged)

I've opened an MR for the removal here: !85446 (merged)

mentioned in issue gitlab-org/quality/triage-reports#7348 (closed)

assigned to @sabrams

added workflowin dev label and removed workflowready for development label

changed the description

added typefeature label and removed typemaintenance label

added featureenhancement label

mentioned in merge request !86196 (merged)

marked the checklist item ContainerExpirationPolicy as completed

marked the checklist item DependencyProxyImageTtlGroupPolicy as completed

marked the checklist item Mutation.updateDependencyProxySettings as completed

marked the checklist item DependencyProxySetting as completed

mentioned in issue #340461 (closed)

mentioned in merge request !86200 (merged)

Async update

50% complete, 85% confident

Summary

I've opted to create separate MRs for each feature:

• Dependency Proxy settings
• Container cleanup policy settings
• Package settings

I've written initial MRs for the first two, but still need to manually test and update the MR descriptions before they are ready for review.

MR Status

• !86200 (merged) - Dependency proxy permission updates - 65% complete, 90% confident
• !86196 (merged) - Container cleanup policy permission updates - 65% complete, 90% confident
• TODO - Package setting permission updates