Allow top-level group owners to create SA
What does this MR do and why?
This MR implements the Setting to allow group owners to create Service Accounts on Self-Managed, so that top-level group owners can create Service Accounts on SM instances. A new Application Setting ie Admin Setting is created called "Allow top-level group owners to create Service Accounts" which is by default false. When activated, top-level group owners can create Service Accounts under Service Account Creation endpoint in Groups API and also delete Service Accounts that were created under same Group Endpoint.
With that the same settings also gets introduced in GitLab.com. Moving forward GitLab.com will have "Allow top-level group owners to create Service Accounts" setting by default enabled, whilist Self-Managed will have this setting by default disabled and give the admins the chance to decide. As a result a feature flag to derisk the change in GitLab.com gets introduced. Upon activation of the FF, application setting will take effect in GitLab.com, which would enable to cleanup later special GitLab.com checks in code together with the FF
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
-
Documentation Update MR to follow
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
| Screen_Recording_2024-08-26_at_08.48.05 |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
You need an admin user and a non-admin user to test.
- In a self-managed instance, add a non-admin user as owner to a top-level group
- Create a personal access token for the given owner user
- Try creating a service account with access token of user using the groups endpoint and confirm it returns
400 Bad request. Here is the curl command and response example.
curl --request POST --header "PRIVATE-TOKEN: $TOKEN" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"message":"400 Bad request - User does not have permission to create a service account in this namespace."- With an admin user go to Settings -> General -> Account and Limit -> Service Account creation and check
Allow top-level group owners to create Service accounts.and pressSave changes. Alternatively update the application settings with an admin token like
curl --request PUT --header "PRIVATE-TOKEN: $ADMIN_TOKEN" "http://$GITLAB_URL/api/v4/application/settings?allow_top_level_group_owners_to_create_service_accounts=true"- Try recreating a service account with same operation and access token from step 3 and verify that it works
curl --request POST --header "PRIVATE-TOKEN: $TOKEN"" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"id":72,"username":"service_account_group_33_556ae685b8ecb97bf23fcc8155cb7697","name":"Service account user"}Related Issues
Feature Rollout Issue for GitLab.com Derisk
Merge request reports
Activity
assigned to @eakca1
added pipelinetier-3 pipeline:run-e2e-omnibus-once labels
Resolved by 🤖 GitLab Bot 🤖Proper labels assigned to this merge request. Please ignore me.
👋 @eakca1- please see the following guidance and update this merge request.1 Error ❌ Please add typebug typefeature, or typemaintenance label to this merge request. Edited by 🤖 GitLab Bot 🤖
- A deleted user
added backend database databasereview pending frontend labels
3 Warnings ⚠ This merge request is quite big (937 lines changed), please consider splitting it into multiple merge requests. ⚠ 1e324eb0: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines. ⚠ 75ad88f0: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines. 1 Message 📖 This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/administration/settings/account_and_limit_settings.md(Link to current live version) -
doc/security/hardening_nist_800_53.md(Link to current live version) -
doc/user/profile/service_accounts.md(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.mdfiles that you've changed. The first few lines of each*.mdfile identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @jwanjohi
(UTC+1)@alipniagov (UTC+2)database @alexpooley (UTC+8)@Quintasan (UTC+2)frontend @nradina (UTC+2)@shampton (UTC-7)groupauthorization Reviewer review is optional for groupauthorization @alexbuijs (UTC+2)Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
🔁 danger-reviewjob that generated this comment.Generated by
🚫 DangerEdited by Ghost User-
added typefeature label
added groupauthentication label
added devopsgovern sectionsec labels
added 1466 commits
-
b517bcdc...534fde78 - 1465 commits from branch
master - 5247b11f - Rebase db migration
-
b517bcdc...534fde78 - 1465 commits from branch
E2E Test Result Summary
allure-report-publishergenerated test report!e2e-test-on-gdk:
✅ test report for 82d02ed3expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Create | 34 | 0 | 2 | 0 | 36 | ✅ | | Plan | 38 | 0 | 0 | 0 | 38 | ✅ | | Govern | 32 | 0 | 0 | 0 | 32 | ✅ | | Data Stores | 2 | 0 | 0 | 0 | 2 | ✅ | | Verify | 4 | 0 | 0 | 0 | 4 | ✅ | | Monitor | 4 | 0 | 0 | 0 | 4 | ✅ | | Secure | 4 | 0 | 0 | 0 | 4 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 118 | 0 | 2 | 0 | 120 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+e2e-package-and-test:
✅ test report for 5247b11fexpand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Govern | 107 | 0 | 6 | 0 | 113 | ✅ | | Create | 270 | 0 | 34 | 0 | 304 | ✅ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 377 | 0 | 40 | 0 | 417 | ✅ | +--------+--------+--------+---------+-------+-------+--------+Edited by Ghost Userremoved pipeline:run-e2e-omnibus-once label
added 1 commit
- 5cf4dcea - Allow top level group owners to create SA in SM
added 1 commit
- 9653cc25 - Allow top level group owners to create SA in SM
added 1 commit
- 99bc283c - Allow top level group owners to create SA in SM
added 1 commit
- b8350f3a - Allow top level group owners to create SA in SM
added 176 commits
-
b8350f3a...94f71cc5 - 175 commits from branch
master - 124fb5a3 - Allow top level group owners to create SA in SM
-
b8350f3a...94f71cc5 - 175 commits from branch
