Expose duo_namespace_access_rules through application settings (!216776) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Add support for managing Duo namespace access rules for Self-managed instances via /application/settings REST API endpoint

EE: true Changelog: added

Depends on !216684 (merged)

References

https://gitlab.com/gitlab-org/gitlab/-/issues/583899+

Screenshots or screen recordings

GET sample response

GET	sample response
`curl 'http://gdk.test:3000/api/v4/application/settings' \ -H "Authorization: Bearer $GITLAB_TOKEN" \ -H 'Content-Type: application/json'`	`{ ... "duo_namespace_access_rules": [ { "namespace_id": 1000000, "namespace_name": "GitLab Duo", "namespace_path": "gitlab-duo", "access_rules": [ "duo_classic", "duo_agents" ] }, { "namespace_id": 27, "namespace_name": "Gnuwget", "namespace_path": "gnuwget", "access_rules": [ "duo_flows" ] } ] }`

curl 'http://gdk.test:3000/api/v4/application/settings' \
  -H "Authorization: Bearer $GITLAB_TOKEN" \
  -H 'Content-Type: application/json'

{
    ...
    "duo_namespace_access_rules": [
        {
            "namespace_id": 1000000,
            "namespace_name": "GitLab Duo",
            "namespace_path": "gitlab-duo",
            "access_rules": [
                "duo_classic",
                "duo_agents"
            ]
        },
        {
            "namespace_id": 27,
            "namespace_name": "Gnuwget",
            "namespace_path": "gnuwget",
            "access_rules": [
                "duo_flows"
            ]
        }
    ]
}

How to set up and validate locally

Run GDK in Self-managed mode
With the feature flag disabled: Feature.disable(:duo_access_through_namespaces, :instance)
1. Get application settings, inspect the response to verify no rules exist: duo_namespace_access_rules is []
```
curl 'http://gdk.test:3000/api/v4/application/settings' \
  -H "Authorization: Bearer $GITLAB_TOKEN" \
  -H 'Content-Type: application/json'
```

With the feature flag enabled Feature.enable(:duo_access_through_namespaces, :instance)

Add entity rules to namespace(s), inspect the response to verify rules are added: duo-namespace_access_rules is updated accordingly

curl 'http://gdk.test:3000/api/v4/application/settings' \
  -X 'PUT' \
  -H "Authorization: Bearer $GITLAB_TOKEN" \
  -H 'Content-Type: application/json' \
  --data-raw '{
    "duo_namespace_access_rules": [
      { "namespace_id": 1000000, "access_rules": ["duo_classic", "duo_agents"] }
    ]
  }'

Remove entity rules, inspect the response to verify rules have been removed: duo-namespace_access_rules is []

curl 'http://gdk.test:3000/api/v4/application/settings' \
  -X 'PUT' \
  -H "Authorization: Bearer $GITLAB_TOKEN" \
  -H 'Content-Type: application/json' \
  --data-raw '{
    "duo_namespace_access_rules": []
  }'

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #583899

Edited Dec 19, 2025 by Katherine Richards

Expose duo_namespace_access_rules through application settings

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports