Skip to content

Allow project developers to read runners

Pedro Pombeirorequested to merge
pedropombeiro/424239/allow-read_runner-permission-to-project-developers into master

What does this MR do and why?

This MR adjusts the Ci::RunnerPolicy to allow users to read runners (:read_runner) and runner managers (read_runner_manager) associated with projects on which they are developers, either directly or indirectly.

Fixes #424239 (closed)

Changelog: fixed

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

The goal will be to create a runner on a project (gitlab-org/gitlab-test) on which a user (@gudrun.boehm) is not directly a maintainer. This is currently not allowed on master.

  1. As root on your local GDK (http://gdk.test:3000/)
  2. Create a group, e.g. maintainers (http://gdk.test:3000/groups/new)
  3. Add @gudrun.boehm to the maintainers group with maintainer permissions (click Invite members in http://gdk.test:3000/groups/maintainers/-/group_members?sort=last_joined)
  4. Add the maintainers group with maintainer permissions to the gitlab-org/gitlab-test project in its admin area (click Invite group in http://gdk.test:3000/gitlab-org/gitlab-test/-/project_members)
  5. Impersonate @gudrun.boehm (http://gdk.test:3000/admin/users/gudrun.boehm)
  6. Go to the Runners section in Settings > CI/CD (http://gdk.test:3000/gitlab-org/gitlab-test/-/settings/ci_cd)
  7. Click on New project runner
  8. Click on Run untagged jobs (otherwise you'll have to enter some tags)
  9. Click on Create runner

You should see a Runner created. message:

image

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pedro Pombeiro

Merge request reports