Skip to content

Access runners via `admin_runners` permission

mo khan requested to merge mokhax/442851/get-runners into master

What does this MR do and why?

This change allows users that belong to a custom role with the admin_runners permission enabled to be able to view the list of runners through via their custom role membership.

#442851

Before:

SELECT "ci_runners".*
FROM (
  (
    SELECT "ci_runners".*
    FROM "ci_runners"
    INNER JOIN "ci_runner_projects" "runner_projects" ON "runner_projects"."runner_id" = "ci_runners"."id"
    WHERE "runner_projects"."project_id" = 278964
  )
  UNION
  (
    WITH "cte_namespace_ids" AS MATERIALIZED (
      SELECT "ci_namespace_mirrors"."namespace_id"
      FROM (
        (
          SELECT "ci_namespace_mirrors".*
          FROM "ci_namespace_mirrors"
          WHERE (((traversal_ids[1])) IN ((9970)))
        )
      ) ci_namespace_mirrors
    ), "cte_project_ids" AS MATERIALIZED (
      SELECT "ci_project_mirrors"."project_id"
      FROM "ci_project_mirrors"
      WHERE (
        ci_project_mirrors.namespace_id IN (
          SELECT namespace_id
          FROM cte_namespace_ids
        )
      )
    )
    SELECT "ci_runners".*
    FROM "ci_runners"
    INNER JOIN "ci_runner_projects" ON "ci_runner_projects"."runner_id" = "ci_runners"."id"
    WHERE (
      ci_runner_projects.project_id IN (
        SELECT project_id
        FROM cte_project_ids
      )
    )
  )
  UNION
  (
    WITH "cte_namespace_ids" AS MATERIALIZED (
      SELECT "ci_namespace_mirrors"."namespace_id"
      FROM (
        (
          SELECT "ci_namespace_mirrors".*
          FROM "ci_namespace_mirrors"
          WHERE (((traversal_ids[1])) IN ((9970)))
        )
      ) ci_namespace_mirrors
    )
    SELECT "ci_runners".*
    FROM "ci_runners"
    INNER JOIN "ci_runner_namespaces" ON "ci_runner_namespaces"."runner_id" = "ci_runners"."id"
    WHERE (
      ci_runner_namespaces.namespace_id IN (
        SELECT namespace_id
        FROM cte_namespace_ids
      )
    )
  )
) ci_runners
ORDER BY "ci_runners"."id" ASC
LIMIT 20
OFFSET 0
Time: 3.371 ms
  - planning: 2.934 ms
  - execution: 0.437 ms
    - I/O read: 0.000 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 3 (~24.00 KiB) from the buffer pool
  - reads: 0 from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/29724/commands/92322

After:

SELECT "ci_runners".*
FROM (
  (
    SELECT "ci_runners".*
    FROM (
      (
        SELECT "ci_runners".*
        FROM "ci_runners"
        INNER JOIN "ci_runner_projects" "runner_projects" ON "runner_projects"."runner_id" = "ci_runners"."id"
        WHERE "runner_projects"."project_id" = 278964
      )
      UNION
      (
        WITH "cte_namespace_ids" AS MATERIALIZED (
          SELECT "ci_namespace_mirrors"."namespace_id"
          FROM (
            (
              SELECT "ci_namespace_mirrors".*
              FROM "ci_namespace_mirrors"
              WHERE (((traversal_ids[1])) IN ((9970)))
            )
          ) ci_namespace_mirrors
        ), "cte_project_ids" AS MATERIALIZED (
          SELECT "ci_project_mirrors"."project_id"
          FROM "ci_project_mirrors" WHERE (
            ci_project_mirrors.namespace_id IN (
              SELECT namespace_id
              FROM cte_namespace_ids
            )
          )
        )
        SELECT "ci_runners".*
        FROM "ci_runners"
        INNER JOIN "ci_runner_projects" ON "ci_runner_projects"."runner_id" = "ci_runners"."id"
        WHERE (
          ci_runner_projects.project_id IN (
            SELECT project_id
            FROM cte_project_ids
          )
        )
      )
      UNION
      (
        WITH "cte_namespace_ids" AS MATERIALIZED (
          SELECT "ci_namespace_mirrors"."namespace_id"
          FROM (
            (
              SELECT "ci_namespace_mirrors".*
              FROM "ci_namespace_mirrors"
              WHERE (((traversal_ids[1])) IN ((9970)))
            )
          ) ci_namespace_mirrors
        )
        SELECT "ci_runners".*
        FROM "ci_runners"
        INNER JOIN "ci_runner_namespaces" ON "ci_runner_namespaces"."runner_id" = "ci_runners"."id"
        WHERE (
          ci_runner_namespaces.namespace_id IN (
            SELECT namespace_id
            FROM cte_namespace_ids
          )
        )
      )
    ) ci_runners
  )
  UNION
  (
    SELECT "ci_runners".*
    FROM "ci_runners"
    INNER JOIN "ci_runner_namespaces" ON "ci_runner_namespaces"."runner_id" = "ci_runners"."id"
    WHERE "ci_runner_namespaces"."namespace_id" = 9970
  )
  UNION
  (
    SELECT "ci_runners".*
    FROM "ci_runners"
    INNER JOIN "ci_runner_projects" ON "ci_runner_projects"."runner_id" = "ci_runners"."id"
    WHERE "ci_runner_projects"."project_id" IN (13083, 278964)
  )
) ci_runners
ORDER BY "ci_runners"."id" ASC
LIMIT 20
OFFSET 0
Time: 3.972 ms
  - planning: 3.379 ms
  - execution: 0.593 ms
    - I/O read: 0.000 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 3 (~24.00 KiB) from the buffer pool
  - reads: 0 from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/29724/commands/92323

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before:

モ curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" http://gdk.test:3000/api/v4/runners | jq '.'
[]

After:

モ curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" http://gdk.test:3000/api/v4/runners | jq '.'
[
  {
    "id": 26,
    "description": "example",
    "ip_address": null,
    "active": false,
    "paused": true,
    "is_shared": false,
    "runner_type": "project_type",
    "name": null,
    "online": null,
    "status": "stale"
  },
  {
    "id": 27,
    "description": "example",
    "ip_address": null,
    "active": false,
    "paused": true,
    "is_shared": false,
    "runner_type": "project_type",
    "name": null,
    "online": null,
    "status": "stale"
  },
  {
    "id": 32,
    "description": "",
    "ip_address": null,
    "active": true,
    "paused": false,
    "is_shared": false,
    "runner_type": "group_type",
    "name": null,
    "online": null,
    "status": "stale"
  },
  {
    "id": 39,
    "description": null,
    "ip_address": null,
    "active": true,
    "paused": false,
    "is_shared": false,
    "runner_type": "project_type",
    "name": null,
    "online": null,
    "status": "stale"
  },
  {
    "id": 40,
    "description": null,
    "ip_address": null,
    "active": true,
    "paused": false,
    "is_shared": false,
    "runner_type": "group_type",
    "name": null,
    "online": null,
    "status": "stale"
  }
]

How to set up and validate locally

  1. In rails console enable the experiment fully 
    Feature.enable(:custom_ability_admin_runners)
  2. Visit any root group
  3. Create group runners at different levels of the group hierarchy.
  4. Create project runners for different projects in and outside of the chosen group hierarchy.
  5. Create a new role role with the base role of Guest and the :admin_runners permission.
  6. Assign the role to a new user.
  7. Generate a PAT for the new user.
  8. Make a curl request to runners API 
    $ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/runners"
  9. Verify that all the expected runners are returned in the JSON response.
Edited by mo khan

Merge request reports