Allow users to read agent information if they're allowed via `user_access` in agent config file
Problem
In Expose associated agent and namespace in Enviro... (#390766 - closed), users can get the agent information of the associated deployment/environment via GraphQL. However, currently the requesting user needs to have read_cluster
permission in the project that owns the agent, which can be obtained with Developer+ role. This can be a problem if the agent-owner project doesn't want to invite the deployment project user as a Developer role because they will have the other permissions, like pipeline execution.
Since the user is explicitly allowed to access the cluster via ci_access
, they should not only be able to connect to the cluster and view the resources, but also read the agent information persists in GitLab database/PostgreSQL.
Related https://gitlab.slack.com/archives/C015U1TKV4M/p1676369395021429 !111827 (merged)
Proposal
Allow users to read agent information if they're allowed via user_access
in agent config file. Something like:
diff --git a/app/policies/clusters/cluster_policy.rb b/app/policies/clusters/cluster_policy.rb
index 316bd39f7a37..a1946c87cfeb 100644
--- a/app/policies/clusters/cluster_policy.rb
+++ b/app/policies/clusters/cluster_policy.rb
@@ -7,5 +7,9 @@ class ClusterPolicy < BasePolicy
delegate { cluster.group }
delegate { cluster.project }
delegate { cluster.instance }
+
+ rule { user_access_allowed }.policy do
+ enable :read_cluster
+ end
end
end