Add global configuration option to restrict group owners to admins
Resources
PM ? | FE @mikegreiling | UX @pedroms
Current state of things
Currently, if LDAP group sync is configured and a group has LDAP group links, no group member (including owners) can override membership. No users can be added, no roles can be changed.
Gotcha 1: If an owner member disabled group links temporarily, they can add a non-LDAP user at any role. Then, re-add the LDAP group link. LDAP user roles and memberships will be managed as usual. However, the non-LDAP user will remain a member of the group.
Gotcha 2: An owner member can remove the LDAP group link and not re-add it. Then, owner members can add, remove or update member permissions at will.
Why we're discussing this
gitlab-org/gitlab-ee#343 plans to introduce LDAP overrides (which was a pre-8.0 feature). This has been a heated topic. We changed the behavior in 8.0 at the request of many vocal users. Now, we've seen the opposite effect - users that relied on this behavior prior to 8.0 want the overrides back.
What we realize based on the current situation outlined above is that it's really not all that restricted. The two gotchas show two ways in which group Owners can still manage membership manually. We will introduce the override feature as planned in gitlab-org/gitlab-ee#343 because it does not substantially change the security model, but now we must decide what we will do (if anything) to change further restrict the model. We can optionally ship any change that comes out of this issue in connection with gitlab-org/gitlab-ee#343 so things are more secure.
Requirements
- Restrict group owners from managing LDAP group links
- Restrict group owners from managing LDAP member overrides
Options
- Do nothing. GitLab administrators who want to totally restrict group membership to LDAP can make themselves the sole owner(s) of every group. Then, only they can enact overrides or remove/change LDAP group links.
- Don't add a global config option but create a rake task to demote all owners and make GitLab administrators owners. (This is a less direct way to implement item 3).
- Add a global configuration option to only allow GitLab administrators to be owners of groups. This will not be retroactive so we will also have to create a Rake task or similar to demote all current group owners to masters and add GitLab administrators as group owners.
- SSOT: Add a global configuration option to restrict group owners from managing LDAP group links. This will also prevent group owners from enacting any overrides. Only GitLab administrators would be allowed to override an LDAP membership.
Specification
We'll proceed with option 4: Add a global configuration option to restrict group owners from managing LDAP group links and LDAP member overrides.
Add a setting in admin/application_settings
between “Enabled Git access protocols” and the “Account and Limit Settings” section:
# LDAP group settings
[ ] Allow group owners to manage LDAP-related group settings
If checked, group owners can manage LDAP group links and LDAP members overrides (question-icon)
The question mark icon should have a tooltip “Read documentation” and link to the documentation regarding LDAP group links and permission overrides: here or here