Skip to content

[BE] Designation of a CSP group

Why are we doing this work

We want to allow a group to be designated as a CSP so that it can contain centralized policies which are applied on for the whole instance.

Relevant links

Implementation plan

  • Extend application_settings with csp_namespace_id
  • Extend all_security_policy_orchestration_configurations to include the CSP level in the hierarchy
  • Update all instances of OrchestrationPolicyConfiguration#all_project_ids to include all projects in the instance when CSP is used
  • Implement sync when csp_namespace_id is changed in the Security::PolicySetting
  • Put the changes behind a feature flag. The CSP has to be set on the instance, but feature flag can control whether a given group applies the CSP configuration.

Verification steps

  1. Use API or rails console to designate a group as CSP: 
    Security::PolicySetting.instance.update! csp_namespace: csp_group
  2. Create multiple top-level groups with nested sub-groups and projects
  3. Create policies of all types in the CSP group
  4. Verify that policies are shown for all projects
  5. Verify that all policy types are correctly enforced for all projects
Edited by 🤖 GitLab Bot 🤖