Improving access control model for GitLab Observability UI
What does this MR do and why?
We want to replicate the access control model from GitLab Observability Backend to GitLab side
// Map a GitLab group membership access_level to a Grafana role.
func GrafanaRoleFromGroupAccessLevel(groupAccessLevel gitlab.AccessLevelValue) string {
if groupAccessLevel >= gitlab.MaintainerPermissions {
return GrafanaAdmin
}
if groupAccessLevel >= gitlab.DeveloperPermissions {
return GrafanaEditor
}
return GrafanaViewer
}
This results in:
- Guest should not be able to view Observability tab
- Datasources are restricted to Admin
In addition to the above, I've also simplified the CSP logic to only check for the feature flag enablement, as discussed in this thread
Note Some of the API added to the GitLab::Observability
lib are made public because used by a follow-up MR !112021 (merged)
This feature is still behind a feature flag. See [Feature flag] Integrate Observability UI navig... (#381740 - closed)
Screenshots or screen recordings
NA
How to set up and validate locally
- Setup GDK with GOUI https://gitlab.com/gitlab-org/opstrace/opstrace-ui/-/blob/main/contribute/developer-guide.md#local-gdk
- Visit a group with a user that is not a maintainer of that group. Note that the "Datasource" tab is not enabled
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Peter Leitzen