Cannot update service accounts usernames with composite_identities

Hakeem Abdul-Razakrequested to merge
581050-dap_service_accounts_cannot_be_renamed into master

Related to #581050 (closed)

What does this MR do and why?

What?

  • Stops users (top-level-group owners/admins) from their renaming service accounts if its enforced with a composite_identity.
  • Maintains the same error message at the instance & group levels.
  • Applies to both the ui & api.

Why?

Service accounts with composite identities are used by external agents and DAP flows that depend on a stable account identity (service_account.username). Renaming them post-creation could cause confusion or break integrations that depend on the account's identity and its associated agent/flow.

Screenshots or screen recordings

video image
screenshot

How to set up and validate locally

  1. Create a service account at the instance & top-level-group level.
  2. Open the rails console & give it a composite identity (a service account user for AI generated activity)
gdk rails console
sa = User.find_by_name!('<insert_name>')
sa.composite_identity_enforced = true
sa.save!
  1. Verify that you can edit its name
  2. Checkout this MR's branch locally
  3. Verify that updating its name fails

ui

  • Verify that you get a flash notice error when you try to update its username at the instance & top-level-group level.

api

  • Run this in your terminal
curl -X PATCH --header "PRIVATE-TOKEN: <token>" "https://gdk.test:3443/api/v4/service_accounts/:id?username=new_name"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hakeem Abdul-Razak

Merge request reports