Add "manage runner" scope (!153285) · Merge requests · GitLab.org / GitLab

Pedro Pombeiro requested to merge pedropombeiro/460721/2-add-manage_runner-scope into master May 16, 2024

What does this MR do and why?

This MR adds a manage_runner token scope, to enable the following runner management endpoints to be accessed with a single token. Currently, we have either the create_runner scope (which is too limited for something like the Terraform provider, which can create/update/delete a resource), or the api scope, which is too broad.

The expected/tested behaviors are as follows:

endpoint	`manage_runner` Owner token result	`manage_runner` Maintainer token result	`manage_runner` Developer token result	`create_runner` Owner token result
GET /runners/:id	✅ `200 OK` (using admin user token) ✅ `200 OK` (using group token)	✅ `200 OK` (using owner project token)	✅ `200 OK` (using group token)	✅ `"insufficient_scope"`
PUT /runners/:id	✅ `200 OK` (using owner project token)	✅ `200 OK` (using owner project token)	✅ `"403 Forbidden - No access granted"`	✅ `"insufficient_scope"`
DELETE /runners/:id	✅ `204 No Content` (using owner group token)	✅ `204 No Content` (using owner group token)	✅ `"403 Forbidden - No access granted"`	✅ `"insufficient_scope"`
GET /projects/:id/runners	✅ `200 OK` (using owner project token)	✅ `200 OK` (using owner project token)	✅ `403 Forbidden`	✅ `"insufficient_scope"`
GET /groups/:id/runners	✅ `200 OK` (using owner group token)	✅ `200 OK` (using owner group token)	✅ `403 Forbidden`	✅ `"insufficient_scope"`
POST /runners/:id/reset_authentication_token	✅ `201 Created` (using admin user token)	✅ `201 Created` (using owner project token)	✅ `"403 Forbidden - No access granted"`	✅ `"insufficient_scope"`
GET /runners	✅ `"insufficient_scope"` (using group token) ✅ `"insufficient_scope"` (using admin user token)	✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using admin user token)
GET /runners/all	✅ `"insufficient_scope"` (using group token) ✅ `"insufficient_scope"` (using admin user token)	✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using admin user token)
GET /runners/:id/jobs	✅ `200 OK` (using group token) ✅ `200 OK` (using admin user token)	✅ `"403 Forbidden - No access granted"` (using group token)	✅ `"403 Forbidden - No access granted"` (using group token)	✅ `"insufficient_scope"` (using admin user token)
POST /projects/:id/runners	✅ `"insufficient_scope"` (using project token) ✅ `"insufficient_scope"` (using admin user token)	✅ `"insufficient_scope"` (using project token) ✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using project token) - would need access to source and target projects	✅ `"insufficient_scope"` (using admin user token)
DELETE /projects/:id/runners/:runner_id	✅ `"insufficient_scope"` (using project token) ✅ `"insufficient_scope"` (using admin user token)	✅ `"insufficient_scope"` (using project token) ✅ `"insufficient_scope"` (using group token)	✅ `"insufficient_scope"` (using project token)	✅ `"insufficient_scope"` (using project token)

The following endpoints are not allowed by the new scope:

endpoint	`manage_runner` Owner token result	`manage_runner` Maintainer token result	`manage_runner` Developer token result	`create_runner` Owner token result
POST /projects/:id/runners/reset_registration_token	✅ `"insufficient_scope"` (using admin user token) ✅ `403 Forbidden` (using owner project token)	✅ `403 Forbidden` (using owner project token)	✅ `403 Forbidden` (using owner project token)	✅ `"insufficient_scope"` (using project token)
POST /groups/:id/runners/reset_registration_token	✅ `"insufficient_scope"` (using admin user token) ✅ `403 Forbidden` (using owner group token)	✅ `403 Forbidden` (using owner group token)	✅ `403 Forbidden` (using owner group token)	✅ `"insufficient_scope"` (using group token)

Closes #460721 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Set up a new PAT in http://gdk.test:3000/-/user_settings/personal_access_tokens with the new manage_runner scope, and the desired user role.

Access one of the REST endpoints in the first table above, for example:

curl -X DELETE --url 'http://gdk.test:3000/api/v4/projects/3/runners/9682' --header private-token:\ $GL_PROJECT_MANAGE_RUNNER_MAINTAINER_TOKEN

You should receive the expected response from the table, and according to the documentation.

Edited May 22, 2024 by Pedro Pombeiro

Add "manage runner" scope

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports