Improve UX for user-base access control on Group Protected Environments API

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Group-level Protected Environments has the following restriction on user-base access control:

user-based:

Group-level config: The given user must be group member with Maintainer role or above.

However, it's not documented in https://docs.gitlab.com/ee/ci/environments/protected_environments.html#group-level-protected-environments. We should document this, otherwise it's confusing for users.

Also, Group-level Protected Environment API return a cryptic error message when an invalid user has been passed. We should improve the API response.

Group Protected Environments API only accepts a user_id of 1 in deploy_access_levels

Steps to reproduce

Create a new group (assume it is has an id of 26)
Use the API to add a rule to allow a user id (an value other than 1) to deploy to an environment tier. For example:

curl --header 'Content-Type: application/json' --request POST --data '{"name": "production", "deploy_access_levels": [{"user_id": 100 }]}' --header "PRIVATE-TOKEN: $TOKEN" "https://${GITLAB_URL}/api/v4/groups/26/protected_environments" 

{"message":["Deploy access levels is too short (minimum is 1 character)"]}

curl --header 'Content-Type: application/json' --request POST --data '{"name": "production", "deploy_access_levels": [{"user_id": 2 }]}' --header "PRIVATE-TOKEN: $TOKEN" "https://${GITLAB_URL}/api/v4/groups/26/protected_environments" 

{"message":["Deploy access levels is too short (minimum is 1 character)"]}

If you use an id of 1, it goes through:

curl --header 'Content-Type: application/json' --request POST --data '{"name": "production", "deploy_access_levels": [{"user_id": 1 }]}' --header "PRIVATE-TOKEN: $TOKEN" "https://${GITLAB_URL}/api/v4/groups/26/protected_environments"

{"name":"production","deploy_access_levels":[{"id":8,"access_level":null,"access_level_description":"Administrator","user_id":1,"group_id":null,"group_inheritance_type":0}],"required_approval_count":0,"approval_rules":[]}⏎

Note that after successfully adding the user id rule with the API, if we check the UI we encounter the same bug as Support role-base and user-base access control ... (#396991)

What is the current bug behavior?

Only a value of 1 for user_id is accepted in deploy_access_levels for the Group Protected Environments API

Creating/Updating of the protected environment will not properly return an error when incorrect user_id or group_id are passed, they will simply be ignored.

See code below https://gitlab.com/gitlab-org/gitlab/blob/vshushlin%2Fprotected-env-model-validation/ee/app/services/protected_environments/base_service.rb#L34:


    def execute
      container.protected_environments.create(sanitized_params).tap do |protected_environment|
        log_audit_event(protected_environment) if protected_environment.persisted?
      end
    end

    def execute(protected_environment)
      protected_environment.update(sanitized_params)
    end

    def sanitized_params
      params.dup.tap do |sanitized_params|
        SANITIZABLE_KEYS.each do |key|
          next unless sanitized_params.has_key?(key)

          sanitized_params[key] = filter_valid_authorizable_attributes(sanitized_params[key])
        end
      end
    end

    def valid_attribute?(attribute)
      # If it's a destroy request, any group/user IDs are allowed to be passed,
      # so that users who are no longer project members can be removed from the access list.
      # `has_destroy_flag?` is defined in `ActiveRecord::NestedAttributes`.
      return true if ProtectedEnvironments::DeployAccessLevel.new.send(:has_destroy_flag?, attribute) # rubocop:disable GitlabSecurity/PublicSend

      return false if attribute[:group_id].present? && qualified_group_ids.exclude?(attribute[:group_id])
      return false if attribute[:user_id].present? && qualified_user_ids.exclude?(attribute[:user_id])

      true
    end

All invalid attributes are just filtered out, so API simply ignores these parameters instead of communicating the error to the end-user.

What is the expected correct behavior?

Any valid value of for user_id is accepted in deploy_access_levels for the Group Protected Environments API

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

# sudo gitlab-rake gitlab:env:info

System information
System:		Ubuntu 22.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.7p221
Gem Version:	3.1.6
Bundler Version:2.3.15
Rake Version:	13.0.6
Redis Version:	6.2.8
Sidekiq Version:6.5.7
Go Version:	unknown

GitLab information
Version:	15.9.3-ee
Revision:	d3356768b48
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	13.8
URL:		https://1.k.git2.cyou
HTTP Clone URL:	https://1.k.git2.cyou/some-group/some-project.git
SSH Clone URL:	git@1.k.git2.cyou:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers:

GitLab Shell
Version:	14.17.0
Repository storages:
- default: 	unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check

# sudo gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 14.17.0 ? ... OK (14.17.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab App ...

Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither initscript nor systemd units) Projects have namespace: ... 2/1 ... yes 12/2 ... yes 12/3 ... yes 13/4 ... yes 13/5 ... yes 13/6 ... yes 14/7 ... yes 14/8 ... yes 15/9 ... yes 15/10 ... yes 15/11 ... yes 26/12 ... yes 1/13 ... yes 26/16 ... yes 26/18 ... yes 26/19 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.7) Git user has default SSH configuration? ... yes Active users: ... 11 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)

Checking GitLab App ... Finished

Checking GitLab subtasks ... Finished

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖