Persist GitLab agent's user access configuration in the database
Problem to solve
In the first iteration of the GitLab agent's user access backend, we read the configuration file directly from the head of the repository's default branch. This was done to keep the MR size as small as possible, but has several shortcomings:
- There is no possibility for users to discover which agents they can access
- The file may not represent a valid configuration
- The file may not represent the configuration that is currently live
Proposal
- Database work
-
Option 1: Augment
agent_group_authorizations
andagent_project_authorizations
with user access information. -
Option 2: Leave
agent_{group,project}_authorizations
forci_access
and implement similar tables dedicated touser_access
.
-
Option 1: Augment
- Backend work:
- Persist
user_access
in the database when the configuration file changes - Update
Clusters::Agents::AuthorizeProxyUserService
to use the database instead of reading the config file
- Persist