Add cascading settings for allow-listing integrations, displayed in instance admin only
About
This issue is part of Ability to disable integrations through admin a... (&15666) see that epic for more context.
In this iteration we will allow instance-admins to be able to allow-list integrations for the entire instance.
In a follow-up issue we will allow group-owners to be able to do the same.
The feature will be GitLab Ultimate, so in addition to checking the settings we must always check the license to before allowing the settings to have effect.
Proposal
TODO Luke to write these things up properly into the proposal:
- Look into how license checks would work at instance-admin level.
- Perhaps we need a helper method on an object that wraps the license checks.
- Probably we should just present admin with a single "lock for entire instance" checkbox, which the backend would keep
`allow_all_integrations` and `allowed_integrations` settings both locked.
- FE will present the options as checkboxes per integration, but backend will be saving the data as array in setting
`allowed_integrations`, so backend will need to adapt frontend data.
Can refer to the spike MR !169687 (closed).
- Add the migrations for cascading settings from the spike MR !169687 (closed), but name the settings
allow_all_integrations
andallowed_integrations
!169687 (comment 2168200639). We'll migrate the settings intonamespace_settings
too in this iteration, but we won't be allowing group-owners to set them yet. - Update integrations codebase to filter available integrations based on the application settings. We can refer to !169687 (closed) except in this iteration we will always filter by application settings and never the namespace settings. Please note that you should use the spike MR as a reference only but please verify/ensure the code independently makes sense to you before implementing.
TODO
Should mention
- Instance admins should "lock" the cascading settings if they do not want group owners to be able to override the settings. (In this iteration group owners won't be able to - but we want to instruct instance admins to correctly configure them now).
- If the instance had a certain kind of integration configured and that was active, and then it becomes blocked by their allow-list, those integrations will no longer trigger. However, if they are ever allow-listed in future, they will immediately be triggerable again.
Edited by Luke Duncalfe