External authorization service
What does this MR do?
This MR allows fine grained access control to projects by requesting the information from an external service.
The this access check can be enabled by admins in settings:
When the feature is enabled all cross project pages are disabled for non-admins using a GlobalPolicy, the links are hidden:
Accessing one of the pages by entering the URL results in this error message:
For all project pages you do have access to, the label will be visible next to the breadcrumbs:
All users allowed to administer the project can set a custom classification label per project:
TODO:
-
Actually check the access against the external service -
Cache the authorization checks from the external service in redis -
Add specs for project specific pages validating project_access. Right now onlyProjectsControllerandProjects::IssuesControllerare specced. -
Port changes outside eeto CE, especially the views to avoid merge conflicts -
Check all cross project references in markdown and remove tooltips, make sure we don't call the external service when doing that. -
Go over all calls that might require authorization as you mentioned in https://canary.gitlab.com/gitlab-org/gitlab-ee/merge_requests/3709#note_53356610 & https://canary.gitlab.com/gitlab-org/gitlab-ee/merge_requests/3709#note_53356780.
Criteria
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together -
Internationalization required/considered -
If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan
What are the relevant issue numbers?
Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/4216 Replaces !3709 (closed)
Edited by Bob Van Landuyt