Allow users to read agent information if they're allowed via `user_access` in agent config file

Problem

In Expose associated agent and namespace in Enviro... (#390766 - closed), users can get the agent information of the associated deployment/environment via GraphQL. However, currently the requesting user needs to have read_cluster permission in the project that owns the agent, which can be obtained with Developer+ role. This can be a problem if the agent-owner project doesn't want to invite the deployment project user as a Developer role because they will have the other permissions, like pipeline execution.

Since the user is explicitly allowed to access the cluster via ci_access, they should not only be able to connect to the cluster and view the resources, but also read the agent information persists in GitLab database/PostgreSQL.

Proposal

Allow users to read agent information if they're allowed via user_access in agent config file. Something like:

diff --git a/app/policies/clusters/cluster_policy.rb b/app/policies/clusters/cluster_policy.rb
index 316bd39f7a37..a1946c87cfeb 100644
--- a/app/policies/clusters/cluster_policy.rb
+++ b/app/policies/clusters/cluster_policy.rb
@@ -7,5 +7,9 @@ class ClusterPolicy < BasePolicy
     delegate { cluster.group }
     delegate { cluster.project }
     delegate { cluster.instance }
+
+    rule { user_access_allowed }.policy do
+      enable :read_cluster
+    end
   end
 end

Edited Feb 15, 2023 by Shinya Maeda