Problems with sharing with groups
I encountered in the last days several places when we were facing the same problem: who and under which conditions should see members of groups invited to groups/projects - especially when the invited group is private.
There is very little in documentation, I believe that creating clear guidelines will be very helpful for all and we won't reinvent the wheel over and over.
Documentation
Current documentation: https://docs.gitlab.com/ee/user/project/members/share_project_with_groups.html#sharing-public-project-with-private-group
Initial Proposal
Guiding Concepts
- Inheritance applies to groups and projects
- If I am a member of a parent group, I am also a member of all of its sub groups
- When you share a sub-group, you also share visibility into the parent group
- You can't share private groups into public projects
- We should either prevent this, or force the owner to make the group public in order to share it into a public project
- For existing scenarios where this is the case, we need to think through a process to remediate (Perhaps we do a Breaking Change in Major Release: Break link between private group and public project)
- Private/Public
- Private means private. Unless you are a member of the private group or project, you can't see any information about it.
- Public is public - anyone can see the group/project information.
- Same inheritance concepts apply to public and private projects
- Private projects can only have private projects underneath them
- Public projects can only have public projects underneath them
- Example: public project B can't co exist under private group A without exposing information about private group A (and therefore making it public, in a sense), due to inheritance
Work in Progress
The following table tracks the progress of the work that remains. Each issue in the table will need to be commented on with a proposed solution (that follows the guiding principles). Once this happens, remove the gitlab-org/manage/authentication-and-authorization/discussion~3011586 label and document the solution the table below:
| Issue | MR | DRI | Summary | Further Action Required? | Status |
|---|---|---|---|---|---|
| Imported group membership not reflected in chil... (#321694 - closed) | MR | @hsutor | Fixed in %14.7 . Modifies groups API to return shared groups | None, fits within guiding principles | |
| Expose Private Group's Membership in autocomple... (gitlab-foss#53011 - moved) | MR | @hsutor | This issue is closed but there is a discussion around the definition of a private group. This is a duplicate of Expose Private Group's Membership in autocomple... (#24822 - closed) and was closed out in favor of it | No, solved with MR in duplicate issue above | Closed |
| Endpoint for auto-completing Assignee discloses... (#29683 - closed) | None | @hsutor | Closed out by @hsutor in %14.3. it is not a bug since it follows the guiding principles. Comment | No | Closed |
| Add membership CSV export to root group - Not linked to an issue. | MR | @hsutor | Fixed with MR in %14.2 . Unclear if fix includes all shared members in fix. Note was "I've updated it to use the members finder, we'll stick with this for the first iteration" | Yes - need to see if members finder includes the correct membership. Also noted "This hits similar problems in compliance work". Is there anything to do there? | |
| Inherit codeowners from groups added as members. (#254800) | None | @hsutor | Open issue. Codeowners are not following inheritance. Should they? | This should likely stay open, I'd like to confirm with the gitlab-org/manage/authentication-and-authorization/discussion~21882461 team | Open |
| Shared groups fix for group/:id/members/all RES... (!66778 - merged) - community contribution I decided to block | |||||
| !66755 (comment 646444833) this hits similar problem in compliance work | |||||
| !71465 (comment 740965806) | |||||
| Subgroups API does not show visible subgroups t... (#21643 - closed) | Open | ||||
| User with inherited membership don't have acces... (#322145 - closed) | MR | Closed | |||
| Group members API does not show invited groups ... (#225966 - closed) | Open | ||||
| Add warning or hide Groups from Project members... (#343115) | Open | ||||
| Shared group are not shown in members page of p... (#211312 - closed) | Open |