Create service account user type and associated scopes/policies
This issue encompasses many of the backend changes necessary for Service Accounts MVC.
Define service_account
user type and update/create associated scopes. This issue will also entail policy updates for :log_in
permission. Ensure users don't take billable seat at instance-level.
High-level thoughts on code changes needed:
- Define a new
user_type
in https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/concerns/has_user_type.rb.- We will also need to define new scopes and update existing scopes to ensure this new user type isn't included where not desired.
- Update global policy to indicate whether
:log_in
is permissible- Do we want these accounts to be able to sign-in? I don't think so, but if yes, we probably have other things we need to validate. What implications does allowing these users to sign-in have?
- The question of sign-in also has implications to how tokens are then created for these service accounts. Either we need to allow creating the tokens similar to how we manage project/group access tokens now (don't need to sign-in to the user to do so) or just allow the account to have someone sign-in and create/manage tokens.
- To delineate between instance-level service accounts and group accounts, we can probably re-use the
provisioned_by_group
attribute. This would mean if a service account is instance-level they would hav anil
provisioned_by_group
while one created by a group would have that value populated.- I believe we will only allow service accounts to be created and tied to top-level groups, and not subgroups? The accounts can still be granted specific privileges at subgroup/project level but cannot be created there, presumably.
- Ensure the user doesn't take a billable seat.