Users with Guest role in policy project cannot run pipelines while Planners and Reporters can.

Summary

Users with Guest role in a pipeline policy project cannot run pipelines while Planner and Reporter roles can. All three of these roles indicate that users would note have permission to execute pipelines from that project. It is unclear if this is an issue with the Guest user related to pipeline policies or if the Planner and Reporter roles have too much access.

This was first brought up by a gitlab.com GitLab Ultimate customer when the Owner of a project could not run pipelines due to being a Guest in the pipeline policy project.

Internal Ticket: https://gitlab.zendesk.com/agent/tickets/587258

Steps to reproduce

  1. Create a project to store the pipeline policy configs such as pipeline-policy-project.
  2. Create .gitlab-ci.yml in pipeline-policy-project, this can be the default sample configs.
  3. Create a new project for the user to run pipelines such as user-owned-project
  4. Assign the same user the Owner role in user-owned-project
  5. Create a pipeline policy which utilizes .gitlab-ci.yml from pipeline-policy-project
  6. As the user, go to run a pipeline in user-owned-project with different roles
    1. User is not a member of pipeline-policy-project :
      1. Pipeline cannot be run in user-owned-project
      2. User cannot access pipeline-policy-project
      3. Error: Pipeline execution policy error: Project 'policy-reproduction/pipeline-policy-projectnot found or access denied! Make sure any includes in the pipeline configuration are correctly defined.
    2. User has Guest role:
      1. User can access pipeline-policy-project , but cannot execute a pipeline from the project
      2. User cannot run pipeline with the same error
    3. User has Planner role:
      1. User can access pipeline-policy-project , but cannot execute a pipeline from the project
      2. User can run pipeline in user-owned-project

Example Project

Since this is ultimate, I do not have a public group to share, but I do have my internal Ultimate group that I can add people to if necessary

What is the current bug behavior?

I am unsure what the bug is here:

  • Projects with a pipeline policy fail if the user executing a pipeline does not have Developer / Maintainter roles in the parent policy group
  • Plannerand Reporter roles are able to execute pipelines while the Guest role cannot despite our documentation indicating they have the same level of permissions when executing pipelines.

What is the expected correct behavior?

Could go a few ways:

  • Update behavior so that users do not need to be a member of a pipeline policy project to execute pipelines in projects inheriting that policy
  • Update permissions of Planner and Reporter so they cannot run pipelines in projects inheriting that policy
  • Update documentation to state Planner and Reporter roles should have this ability

Relevant logs and/or screenshots

Example error in the UI when trying to run the pipeline as a Guest user in pipeline project

policy_project_guest_failure.png

Output of checks

This bug happens on GitLab.com

Update

After addressing #510627 (closed), the pipeline cannot be run by Planner either. I've added my findings in #508240 (comment 2269317144)

Edited by Eugenia Grieff