Allow top-level group owners to create SA (!163726) · Merge requests · GitLab.org / GitLab

Eren Akca requested to merge eakca-468806-setting-to-allow-group-owners-to-create-service-accounts-on-self-managed into master Aug 23, 2024

What does this MR do and why?

This MR implements the Setting to allow group owners to create Service Accounts on Self-Managed, so that top-level group owners can create Service Accounts on SM instances. A new Application Setting ie Admin Setting is created called "Allow top-level group owners to create Service Accounts" which is by default false. When activated, top-level group owners can create Service Accounts under Service Account Creation endpoint in Groups API and also delete Service Accounts that were created under same Group Endpoint.

With that the same settings also gets introduced in GitLab.com. Moving forward GitLab.com will have "Allow top-level group owners to create Service Accounts" setting by default enabled, whilist Self-Managed will have this setting by default disabled and give the admins the chance to decide. As a result a feature flag to derisk the change in GitLab.com gets introduced. Upon activation of the FF, application setting will take effect in GitLab.com, which would enable to cleanup later special GitLab.com checks in code together with the FF

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Documentation Update MR to follow

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After
	Screen_Recording_2024-08-26_at_08.48.05

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

You need an admin user and a non-admin user to test.

In a self-managed instance, add a non-admin user as owner to a top-level group
Create a personal access token for the given owner user
Try creating a service account with access token of user using the groups endpoint and confirm it returns 400 Bad request. Here is the curl command and response example.

curl --request POST --header "PRIVATE-TOKEN: $TOKEN" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"message":"400 Bad request - User does not have permission to create a service account in this namespace."

With an admin user go to Settings -> General -> Account and Limit -> Service Account creation and check Allow top-level group owners to create Service accounts. and press Save changes. Alternatively update the application settings with an admin token like

curl --request PUT --header "PRIVATE-TOKEN: $ADMIN_TOKEN" "http://$GITLAB_URL/api/v4/application/settings?allow_top_level_group_owners_to_create_service_accounts=true"

Try recreating a service account with same operation and access token from step 3 and verify that it works

curl --request POST --header "PRIVATE-TOKEN: $TOKEN"" "http://$GITLAB_URL/api/v4/groups/$GROUP_ID/service_accounts"
{"id":72,"username":"service_account_group_33_556ae685b8ecb97bf23fcc8155cb7697","name":"Service account user"}

Related Issues

#468806 (closed)

Feature Rollout Issue for GitLab.com Derisk

#482400 (closed)

Edited Oct 03, 2024 by Eren Akca

Allow top-level group owners to create SA