Change default of `restrict_user_defined_variables` to `true` behind FF
Related to: #502382
Today restrict_user_defined_variables is set to false by default, meaning that all developers are allowed to pass pipeline variables when creating pipelines. This default setting violates the least privilege principle.
What does this MR do and why?
Set restrict_user_defined_variables to true by default.
Use pipeline_variables_minimum_override_role from the root namespace settings (pipeline_variables_default_role).
Default pipeline_variables_default_role to developer in namespace settings.
Behind an FF change_namespace_default_role_for_pipeline_variables disabled by default:
- disabled -
pipeline_variables_default_role=developer - enabled -
pipeline_variables_default_role=no_one_allowed
The idea is to:
- Begin the rollout with the default developer role, enabling both restrict_user_defined_variables and pipeline_variables_minimum_override_role.
- In later milestones, use namespace migrations to enforce stricter limits, first changing the role to
maintainerand eventually tono_one_allowed.
References
Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.