Introduce `read_virtual_registry` custom role ability
What does this MR do and why?
Introduces a read_virtual_registry custom role ability at the group level, allowing admins to grant virtual registry read access to users without requiring broader group membership permissions.
This enables minimal-access members with the custom role to resolve packages through virtual registries (Maven, npm, container) without needing Guest or higher access.
Key changes:
- Add
ee/config/custom_abilities/read_virtual_registry.ymldefining the custom ability - Add custom role specs to
VirtualRegistries::Policies::GroupPolicyandGroupPolicy - Add
'virtual registry custom role read access'shared example covering all GET endpoints across Maven, npm, and container virtual registry specs - Add
ee/spec/requests/custom_roles/read_virtual_registry/request_spec.rbend-to-end request spec - Generate updated custom roles and GraphQL documentation
References
- Related to #596622
- Custom roles development guide: https://docs.gitlab.com/development/permissions/custom_roles/#how-to-add-support-for-an-ability-to-custom-roles
Screenshots or screen recordings
Not applicable — no UI changes.
How to set up and validate locally
docs => https://docs.gitlab.com/development/permissions/custom_roles/#step-5-verify-role-access & https://docs.gitlab.com/user/custom_roles/
- Enable SaaS mode:
GITLAB_SIMULATE_SAAS=1 - Go to a top-level group you own, then Settings > Roles and permissions
- Create a new custom role with Minimal Access base level and Read virtual registry enabled
- Assign a member to this custom role on the group's Manage > Members page
- Sign in as that member and verify access:
# In rails console user = User.find_by(username: '<member_username>') group = Group.find(<group_id>) user.can?(:read_virtual_registry, group.virtual_registry_policy_subject) # => true - Verify via REST API:
curl --header "PRIVATE-TOKEN: <member_pat>" \ "http://gdk.test:3000/api/v4/groups/<group_id>/-/virtual_registries/packages/maven/registries" # => 200 OK
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #596622
Edited by Moaz Khalifa