Catalog enhancement - allow administrator to restrict users from publishing a component to a catalog
Overview
Users would like to have the option to restrict individual users (or groups of users) from publishing a component to a catalog
Problems to solve
Currently, there is no option to restrict individual users or specific user groups from publishing a component to the CI/CD Catalog, while CI team trying to enforce cosistent workflows and guidelines for CI pipeline and component having engineers publishing thier own component to the catalog may lead to unauthorized or unintended releases without a security/compliance check.
Potential Proposal
The Catalog would only show the published components that exist on the Catalog_Component_project_allow_list and ignores the rest of the published Component in other projects. An error could be raised when a user tries to publish a component from a project that is not on that list. By default, that list will show a wildcard (*) which means all projects under the same instance are on that allow_list. A new type of policy under policy rules could store this condition.
Additional information
- When the setting is disabled - everyone can publish a component (default behavior)
- When the setting is enabled only a group of users can publish a component
- How do we apply such a solution for both?com & self manage
Potential solution
Use Policies to enforce the restriction and apply it on the top level group
The policy configuration could look like the following
type: ci_component_source_policy
name: CI Component Policy
description: With this policy we will allow pipelines to run CI Components only from predefined sources.
enabled: true
restricted_sources:
projects: # Only components from gitlab.com/project-a and my_org.com/group-a/project-1 can be run in the pipeline
- path: gitlab.com/project-a
- path: my_org.com/group-a/project-1
groups: # Only components gitlab.com/group-b can be run in the pipeline
- path: gitlab.com/group-b
policy_scope:
compliance_frameworks:
- id: 3Whenever users are trying to publish a component outside of the restricted_sources we should fail the pipeline and provide users with an error message
Out of Scope for MVC
Frontend work for the UI interface