Users with roles lower than Maintainer should not be listed in the `Allowed to deploy` dropdown.
Summary
In Group-level protected environment , adding users with roles lower than Maintainer to allowed to deploy setting silently fails
Steps to reproduce
- Navigate to a group , select
settings->CI/CD->Protected environments - Click on
Protect an environmentand select theenvironment tier - Under
allowed to deploy, select two users withMaintainer&Developerrole and clickprotect -
Deployment rulesof the protected environment will list only themaintainer& not thedeveloper.
This is because the code indicates that only owners and maintainers are allowed to deploy in group-level config.
Example Project
What is the current bug behavior?
Users with roles lower than Maintainer are listed in the Allowed to deploy dropdown.
What is the expected correct behavior?
Users with roles lower than Maintainer should not be listed in the Allowed to deploy dropdown.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Implementation
- Modify
EnvironmentDropdownServiceto:- Accept the relevant project or group (either as as an argument to
#roles_hash, or setting it in an initializer for the service). - Exclude
Gitlab::Access::DEVELOPERfrom the returned list if the passed object is a group.
- Accept the relevant project or group (either as as an argument to
- Modify the project and group calling locations to pass the project/group to the service.
Activity
added typebug label
You can refer to the Features by Group handbook page for guidance.
If you are unsure about the correct group, please do not leave the issue without a group label, and refer to GitLab's shared responsibility functionality guidelines for more information on how to triage this kind of issue.
This message was generated automatically. You're welcome to improve it.
added devopsdeploy groupenvironments labels
added sectioncd label
mentioned in issue gitlab-org/quality/triage-reports#19538 (closed)
added priority2 label
mentioned in issue gitlab-org/quality/triage-reports#19653 (closed)
mentioned in issue gitlab-org/quality/triage-reports#19665 (closed)
@vidhya.h An alternative "Expected behavior" would be to allow users with "Developer" role to deploy. Why do you think that the expected behavior is the one you described?
I agree that it solves the bug, but my expectation would be that it should work with Developer too. (Moreover, I'd consider the bug a severity3 or even severity4 if Developer should not be selectable, as the simple solution is to not select a developer.
@nagyv-gitlab looking at the description of the MR that introduced this feature, it seems this was a deliberate decision:
The registrable user/group to deploy access levels are slightly different due to the conceptual differences between project and group:
- user-based:
- Project-level config: The given user must be a project member with Developer role or above.
- Group-level config: The given user must be group member with Maintainer role or above.
I would expect this to qualify as a quick win, however first I would need to understand why we went with this behaviour in the first place to be sure we aren't creating a bug somewhere else. Do you know the answer?
- user-based:
@tigerwnz How I understand this "Group-level config: The given user must be group member with Maintainer role or above." listing users with roles lower than Maintainer was never intended. What did you mean be the deliberate decision?
@nagyv-gitlab sorry, I misread your comment at the top of this discussion (I was assuming we were planning to allow Developers to be selected and deploy, instead of removing them from the list).
I think not showing Developers in the list would be a frontend change, @anna_vovchenko can you please confirm?
@anna_vovchenko The question is the same: "May I ask you to have a quick look at this to judge if it would qualify as a quick win ready for the community to pick up?"
@tigerwnz, frontend relies on the
gon.deploy_access_levelsthat is pushed here for groups and here for projects.I think it would be beneficial to push proper values from here. Do you know where the
environment_dropdown.roles_hashis initialized? Also, would it be possible to provide different values for group and project settings based on the access policies?Ah, thanks for pointing me in the right direction @anna_vovchenko! The roles hash comes from this service, which in turn reads the roles from here.
We can pass the project/group to
EnvironmentDropdownService, which can then return the correct list based on the type.-
@tigerwnz, could you please add an implementation guide? I think it's purely ruby task and can be prepared as a quick win and Seeking community contributions.
I've added an implementation plan and labelled as quick win, thanks! cc @nagyv-gitlab
mentioned in issue gitlab-org/quality/triage-reports#19802 (closed)
mentioned in issue gitlab-org/quality/triage-reports#19912 (closed)
changed milestone to %Backlog
added Category:Continuous Delivery Seeking community contributions severity4 labels and removed severity2 label
added to epic &9992
-
@nagyv-gitlab thanks for adding the Seeking community contributions label!
This issue's description does not seem to have a section for "Implementation Guide". Please consider adding one, because it makes a big difference for contributors. This section can be brief but must have clear technical guidance, like:
- Hints on lines of code which may need changing
- Hints on similar code/patterns that can be leveraged
- Suggestions for test coverage
- Ideas for breaking up the merge requests into iterative chunks
- Links to documentation (within GitLab or external) about implementation or testing guidelines, especially when working with third-party libraries
Need help? Reach out to the Contributor Success team in #contributor-success, or in Discord.
This message was generated automatically. You're welcome to improve it.
added rails label
added workflowready for development label
added quick win label
-
@tigerwnz thanks for adding the quick win label!
However, it appears that this issue does not meet all of the required criteria for the label to be applied so it has been automatically removed.
You can refer to the criteria for quick win issues documentation for an up-to-date list of the requirements.
This message was generated automatically. Improve it or delete it.
added automation:quick-win-removed label and removed quick win label
added quick win label
added co-create label
Hi @tigerwnz
PS: Wanted to ask if this code change would require any changes in the test files? I'm new to Ruby and find it a little difficult to navigate through the spec files sometimes, might need some help there
PPS: Any other information that I should keep in mind before getting started?
@guptapratibha26 awesome! Thanks for picking it up, I will assign to you.
Regarding tests, the only place you should need to change is
ee/spec/services/protected_environments/environment_dropdown_service_spec.rbto cover the new behaviour we are adding.Feel free to reach out if you need any help along the way.
@guptapratibha26 yes, let's close it. Thanks again!
assigned to @guptapratibha26
removed Seeking community contributions label
mentioned in merge request !178915 (merged)
changed milestone to %17.9
added workflowcomplete label and removed workflowready for development label
