Skip to content

Support service and bot account reassignment in import user mapping

Rodrigo Tomonarirequested to merge
rodrigo/support-service-and-bot-accounts-reassignment into master

What does this MR do and why?

Support service and bot account reassignment in import user mapping

Previously, contributions could only be reassigned to human users. Now, group owners can reassign contributions to Group and Project bots and Group service accounts.

Since these users are not human and can theoretically be impersonated by group owners, the reassignment does not require confirmation and is automatically approved.

This change only modifies the backend, specifically the ReassignService, so reassignment to these users is currently only possible through API and CSV. Support via UI should be added later, as discussed in #572534.

It is important to note that instance service accounts are supported only if the reassignment is done by an administrator and admin bypass settings are enabled.

Membership for Group and Project bots has not been migrated because these users are automatically added as members of their respective groups and projects. Additionally, they cannot be members of other groups or projects.

Documentations

Technical information

Group and Project bots

  1. In the backend project and group bots use the user type project_bot
  2. As part of #498333 (closed), a bot_namespace association was added to the UserDetail model. The association stores the namespace (group or project namespace) to which the bot is connected.

Service accounts

  1. Service account is an EE feature
  2. The provisioned_by_group association in the UserDetail model stores the top-level group to which the service account is connected.

References

#537445 (closed)

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Perform a Direct Transfer, GitHub, Bitbucket Server migrations which result in Import::SourceUsers to be created

    Github Import Example:

curl --location 'http://gdk.test:3000/api/v4/import/github' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer GITLAB_ACCESS_TOKEN' \
--data '{
    "personal_access_token": "GITHUB_ACCESS_TOKEN",
    "repo_id": "238972",    
    "target_namespace": "imported",
    "new_name": "rspec-core",
    "optional_stages": {
      "attachments_import": false,
      "collaborators_import": false
    },
    "timeout_strategy": "optimistic"
}'
  1. Once the group or project has been migrated, navigate to the top-level group where it was imported.
  2. Create some Group Service accounts
    1. Settings -> Service accounts
  3. Create a Group Access token
    1. Settings -> Access token
  4. Create a Project Access token
    1. Navigate to a project
    2. Settings -> Access token
  5. Create service accounts, group, and project access tokens for groups and projects that do not belong to the same top-level namespace.
  6. Attempt to reassign imported contributions to the users created in the steps 3, 4, 5 and 6 via GraphQL API or CSV.

Using GraphQL

  1. Navigate to GraphQL explorer - http://gdk.test:3000/-/graphql-explorer
  2. Use the following mutation to list the Import::SourceUser IDs
{
  namespace(fullPath: "imported") {
    importSourceUsers(statuses: [PENDING_REASSIGNMENT]) {
      nodes {
        id
        status
        sourceName
        placeholderUser {
          username
        }
        reassignedByUser {
          username
        }
        reassignToUser {
          username
        }
      }
    }
  }
}
  1. Select a Source User ID and replace it in the subsequent mutation. Additionally, specify the ID of the USER to whom you want to reassign the contributions.
mutation {
  importSourceUserReassign(input:{id: "gid://gitlab/Import::SourceUser/<SOURCE_USER_ID>", assigneeUserId:"gid://gitlab/User/<BOT_OR_SERVICE ACCOUNT_USER_ID>"}) {
    errors
    importSourceUser {
      id
      status
      reassignToUser {
        id
        name
        username
      }
    }
  }
}
  1. For services and bots in the top-level namespace, the mutation should succeed.

Using CSV

  1. Navigate to the top-level group where it was imported.
  2. In the Sidebar, go to Manage -> Members
  3. Select the tab Placeholders
  4. Click on Reassign with CSV file
  5. Download the template CSV
  6. In the CSV, fill in the username with the Gitlab username of the service or bot accounts
  7. Upload the CSV

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Rodrigo Tomonari

Merge request reports