Allow top-level group owners to create SA
What does this MR do and why?
This MR implements the Setting to allow group owners to create Service Accounts on Self-Managed, so that top-level group owners can create Service Accounts on SM instances. A new Application Setting ie Admin Setting is created called "Allow top-level group owners to create Service Accounts" which is by default false. When activated, top-level group owners can create Service Accounts under Service Account Creation endpoint in Groups API and also delete Service Accounts that were created under same Group Endpoint.
With that the same settings also gets introduced in GitLab.com. Moving forward GitLab.com will have "Allow top-level group owners to create Service Accounts" setting by default enabled, whilist Self-Managed will have this setting by default disabled and give the admins the chance to decide. As a result a feature flag to derisk the change in GitLab.com gets introduced. Upon activation of the FF, application setting will take effect in GitLab.com, which would enable to cleanup later special GitLab.com checks in code together with the FF
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
-
Documentation Update MR to follow
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
Screen_Recording_2024-08-26_at_08.48.05 |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
You need an admin user and a non-admin user to test.
- In a self-managed instance, add a non-admin user as owner to a top-level group
- Create a personal access token for the given owner user
- Try creating a service account with access token of user using the groups endpoint and confirm it returns
400 Bad request
. Here is the curl command and response example.
curl --request POST --header "PRIVATE-TOKEN: $TOKEN" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"message":"400 Bad request - User does not have permission to create a service account in this namespace."
- With an admin user go to Settings -> General -> Account and Limit -> Service Account creation and check
Allow top-level group owners to create Service accounts.
and pressSave changes
. Alternatively update the application settings with an admin token like
curl --request PUT --header "PRIVATE-TOKEN: $ADMIN_TOKEN" "http://$GITLAB_URL/api/v4/application/settings?allow_top_level_group_owners_to_create_service_accounts=true"
- Try recreating a service account with same operation and access token from step 3 and verify that it works
curl --request POST --header "PRIVATE-TOKEN: $TOKEN"" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"id":72,"username":"service_account_group_33_556ae685b8ecb97bf23fcc8155cb7697","name":"Service account user"}