Restrict access to job logs when CI_DEBUG_SERVICES is enabled
What does this MR do?
This MR restricts job log access to developers only when the CI_DEBUG_SERVICES variable is enabled. WRT controlling access to job logs, CI_DEBUG_SERVICES is treated identically to CI_DEBUG_TRACE, including using the same mechanism.
Why is this MR necessary?
Over in gitlab-runner!3680 (merged) we're adding the ability to stream service container logs to the job's main trace log (as requested in gitlab-runner#2119 (closed)). As noted in gitlab-runner!3551 (comment 1097136662), streaming the service containers' logs into the jobs main trace log asynchronously has the side-effect that can circumvent the variable masking functionality. To mitigate this side-effect, we'll do the same thing we do when CI_DEBUG_TRACE is enabled; restrict log access to developers only.
Note that this is a first iteration of this work; the second iteration will be #290955 (closed).
Screenshots or screen recordings
N/A
How to set up and validate locally
- add
CI_DEBUG_SERVICES = "true"to thevariablessection of your favourite CI configuration (or just a single job within the config is enough) - trigger a job run
- attempt to access that job's log whilst not logged in (or as a user that is not a developer of the project)
- You should see the standard
You must have developer or higher permissions in the associated project to view job logs when debug trace
is enabled. To disable debug trace, set the 'CI_DEBUG_TRACE' and 'CI_DEBUG_SERVICES' variables to 'false'
in your pipeline configuration or CI/CD settings. If you need to view this job log, a project maintainer
or owner must add you to the project with developer permissions or highermessage. Note that the message now additionally mentions the CI_DEBUG_SERVICES variable.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.