Update access for /runners/all API endpoint

Narendranrequested to merge
narendran-kannan/464640/update-runners-all-access into master

What does this MR do and why?

  • Changed endpoint /runners/all access.
  • Previously, it was allowed only with can_admin_all_resources? => admin access
  • To resolve this issue, changed the auth check to can_read_all_resources? => Auditor Access in EE.
  • Adapted the same in spec/requests/api/ci/runners_spec.rb
  • Updated Openapi doc yaml.

References

Review access to /runners/all API endpoint (#464640 - closed)

How to set up and validate locally

  1. Ensure the GDK has an Ultimate license.
  2. Create a user (or change an existing user) with auditor access level.
  3. Impersonate that user, and create a Personal Access Token (http://gdk.test:3000/-/user_settings/personal_access_tokens) with read_api scope.
  4. Run curl --header "PRIVATE-TOKEN: $PAT_TOKEN" --url "http://gdk.test:3000/api/v4/runners/all"
  5. In master, you should see {"message":"403 Forbidden"}. In this branch, the request is successful and returns a list of runners.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pedro Pombeiro

Merge request reports