List all owned runners via :admin_runners permission

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Why are we doing this work

When a user is granted a role that has the admin_members permission enabled they should be considered owners for any Ci::Runner that belongs to the group/project that their membership entitles them to.

Today, users are able to list runners if one of the following conditions is satisfied:

1. They are a project maintainer. (Provides access to project runners)
2. They are a group maintainer. (Provides access to all project runners in the group)
3. They are a group owner. (Provides access to all group and project runners in the group hierarchy)

The addition of the following conditions should also provide access:

1. They have the :admin_runners permission on a project. (Provides access to project runners)
2. They have the :admin_runners permission on a group. (Provides access the group and project runners in the group hierarchy)

Relevant links

• Runner Permissions
• REST API
• Admin Runners
• Spike

Non-functional requirements

• Documentation:
• Feature flag: owned_runners_via_admin_runners
• Performance: This is a performance sensitive code path that is called frequently to view the build logs.
• Testing:

Implementation plan

• Add a GIN index to member_roles.permissions Add GIN index to member_roles.permissions (!161934 - merged) • mo khan • 17.3
• Update GET /runners to return group runners List owned runners via :admin_runners permission (!161385 - merged) • mo khan • 17.3
• Update GET /runners to return project runners

Verification steps

1. Enable the feature flag. E.g.

   Feature.enable(:custom_ability_admin_runners)

2. Visit any root group
3. Create group runners at different levels of the group hierarchy.
4. Create project runners for different projects in and outside of the chosen group hierarchy.
5. Create a new role role with the base role of Guest and the :admin_runners permission.
6. Assign the role to a new user.
7. Generate a PAT for the new user.
8. Make a curl request to runners API

   $ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/runners"

9. Verify that all the expected runners are returned in the JSON response.