Do not allow group Owners create Service accounts on Self-managed (!152195) · Merge requests · GitLab.org / GitLab

Smriti Garg requested to merge 451025/service_account_create_policy_check_self_managed into master May 07, 2024

What does this MR do and why?

Currently group owners are able to create service account users on Self-managed. With this MR this bug will be resolved and only admins will be allowed to create service account users on Self-managed. Group owners can still create service account users on GitLab.com.

Changelog: fixed

EE: true

How to set up and validate locally

Create a Personal access token as instance admin
Create a personal access token as group owner

Try following curl request by running your gdk setup in self-managed mode one by one with both tokens

curl --request POST --header "PRIVATE-TOKEN: token_val" "https://gdk.test:3443/api/v4/groups/:group_id/service_accounts"

The request should throw error for group owner's token and successful for instance admin token

Now Try running gdk in SAAS mode https://docs.gitlab.com/ee/development/ee_features.html and use the same token for group owner with curl request

curl --request POST --header "PRIVATE-TOKEN: token_va" "https://gdk.test:3443/api/v4/groups/:group_id/service_accounts"

Now service account user should be created properly

Edited May 20, 2024 by Bogdan Denkovych

Do not allow group Owners create Service accounts on Self-managed

What does this MR do and why?

How to set up and validate locally

Merge request reports