Add `admin_cicd_variables` as a custom permission
Release notes
The Owner role is required to manage group CI/CD variables or Maintainer+ for project variables which can lead to an over privileged user. With the release of this permission, you can create a custom role and set the permission in the API so the user can manage CI/CD variables.
Why are we doing this work
Customers would like the capability to give the rights to edit CI/CD variables at the group or project level without being the owner/maintainer of a group or project.
Relevant links
- Epic
- Developer Documentation: Implement a New Ability
- Examples:
- Add ability to add read_code to custom roles (!106256 - merged) • Jessie Young • 15.7
- Add ability to read_vulnerability to custom roles (!114734 - merged) • Jarka Košanová • 16.0
- Add admin_vulnerability to custom roles (!121534 - merged) • Jarka Košanová • 16.1
- Add ability to admin_terraform_state to custom ... (!140759 - merged) • Hinam Mehra • 16.8
- Add Manage group access tokens custom permission (!140115 - merged) • Alex Buijs • 16.8
- Add Remove Project custom permission (!139696 - merged) • Alex Buijs • 16.8
- Add manage group members as custom permission (!131914 - merged) • Jarka Košanová • 16.5
Non-functional requirements
-
Documentation: https://docs.gitlab.com/ee/user/custom_roles/abilities.html -
Feature flag: TBD -
Performance: -
Testing:
Implementation plan
-
Run ./ee/bin/custom-ability admin_cicd_variables
to generate configuration for the new permission.- name: admin_cicd_variables
- description: Manage CI/CD Variables
- introduced_by_issue: #437947 (closed)
- feature_category: continuous_integration
- group_ability: true
- project_ability: true
-
Run bundle exec rails generate gitlab:custom_roles:code --ability admin_cicd_variables
-
Add tests to ee/spec/requests/custom_roles/admin_cicd_variables/request_spec.rb
for:Groups::VariablesController
Projects::VariablesController
- REST API (Project Level Variables, Group Level Variables)
- GraphQL API
-
Add rule(s) to ProjectPolicy to enable ability to allow access to create/update variables -
Add rule(s) to GroupPolicy to enable ability to allow access to create/update variables
Verification steps
TBD
Edited by Joe Randazzo