Skip to content

create_runner reported as not sufficient to create a runner with the `POST /user/runners` endpoint

Reported in #387993 (comment 1894897899)

The feature was implemented in !124074 (merged) to only require the create_runner scope with Owner role. It seems that recently this might have been broken. Maybe due to b5047f04?

Output from declarative policy (as per procedure):

[4] pry(main)> policy.debug(:create_runner)
- [0] prevent when all?(anonymous, ~public_project) ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [0] prevent when visual_review_bot ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [7] prevent when all?(ip_enforcement_prevents_access, ~admin, ~auditor) ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [14] prevent when user_banned_from_namespace ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [21] prevent when all?(~admin, ~organization_owner, ~project_runner_registration_allowed) ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [28] prevent when all?(~public_project, ~internal_access, ~project_allowed_for_job_token) ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
- [132] enable when can?(:maintainer_access) ((@project_3_bot_1288bd4b936212d8935de46881ddd09d : Project/3))
=> #<DeclarativePolicy::Runner::State:0x000000017fe3a230
 @called_conditions=
  #<Set:
   {"/dp/condition/DeclarativePolicy::Base/anonymous/User:80",
    "/dp/condition/BasePolicy/visual_review_bot/User:80",
    "/dp/condition/BasePolicy/admin/User:80",
    "/dp/condition/BasePolicy/auditor/User:80",
    "/dp/condition/ProjectPolicy/ip_enforcement_prevents_access/Project:3",
    "/dp/condition/ProjectPolicy/user_banned_from_namespace/User:80,Project:3",
    "/dp/condition/ProjectPolicy/project_runner_registration_allowed/Project:3",
    "/dp/condition/ProjectPolicy/public_project/Project:3",
    "/dp/condition/ProjectPolicy/internal_access/User:80,Project:3",
    "/dp/condition/ProjectPolicy/project_allowed_for_job_token/User:80,Project:3",
    "/dp/condition/ProjectPolicy/maintainer/User:80,Project:3",
    "/dp/condition/ProjectPolicy/needs_new_sso_session/Project:3",
    "/dp/condition/BasePolicy/security_bot/User:80",
    "/dp/condition/BasePolicy/alert_bot/User:80",
    "/dp/condition/BasePolicy/support_bot/User:80",
    "/dp/condition/ProjectPolicy/owner/User:80,Project:3",
    "/dp/condition/ProjectPolicy/organization_owner/User:80,Project:3"}>,
 @enabled=false,
 @prevented=true>
Edited by Pedro Pombeiro