Skip to content

Persist GitLab agent's user access configuration in the database

Problem to solve

In the first iteration of the GitLab agent's user access backend, we read the configuration file directly from the head of the repository's default branch. This was done to keep the MR size as small as possible, but has several shortcomings:

  • There is no possibility for users to discover which agents they can access
  • The file may not represent a valid configuration
  • The file may not represent the configuration that is currently live

Proposal

  1. Database work
    • Option 1: Augment agent_group_authorizations and agent_project_authorizations with user access information.
    • Option 2: Leave agent_{group,project}_authorizations for ci_access and implement similar tables dedicated to user_access.
  2. Backend work:
    • Persist user_access in the database when the configuration file changes
    • Update Clusters::Agents::AuthorizeProxyUserService to use the database instead of reading the config file