Add policy for deleting registry tag rules
What does this MR do and why?
In this MR, we introduce and expose the new policy: destroy_container_registry_protection_tag_rule.
For tag protection rules, different access levels can delete them depending on type:
- Mutable protection rules: Maintainer+ (i.e. maintainer, owner, admin)
- Immutable protection rules: Owner+ (i.e. owner, admin)
With the new policy, we also authorize the destroy GraphQL mutation with it and also expose it in GraphQL for frontend consumption.
How to set up and validate locally
A. Validating the GraphQL field: destroyContainerRegistryProtectionTagRule
With different accounts, i.e. one Admin and one project maintainer, try the following query:
query {
project(fullPath: "toplevelgroup/subgroup3/project-beta") {
name
containerProtectionTagRules(first: 5) {
nodes {
id
tagNamePattern
minimumAccessLevelForPush
minimumAccessLevelForDelete
userPermissions {
destroyContainerRegistryProtectionTagRule
}
}
}
}
}For mutable rules, destroyContainerRegistryProtectionTagRule would return true for users that are admin, project owner, or project maintainer. And false if the user is only a developer.
For immutable rules, destroyContainerRegistryProtectionTagRule would only return true for users that are admin and project owner. Other access levels would be false.
B. Validating authorization of a protection rule
Using your admin account, create a protection rule (policy will be added in #524203 (closed)).
Now, using different accounts, you will be allowed / prevented based on your access level and type of protection rule.
- For mutable rules, deletion is only allowed for Maintainer+
- For immutable rules, deletion is only allowed for Owner+
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #521750 (closed)