Skip to content

Support admin mode on API requests

Diego Louzán requested to merge siemens/gitlab:feat/admin-mode-for-api into master

What does this MR do?

Add support for Admin Mode on API requests with Personal Access Tokens:

  • Add a new token scope admin_mode
  • Make sudo scope depend on admin_mode

Since there's ~90 specs affected, I have broken the MR using again the previous approach in !28420 (merged) to conditionally filter specs on spec_helper.rb. We have another MR in Draft that builds on top of this one and tracks the migration: siemens/gitlab!44 (closed).

Also migrated more calls from User#admin? to User#can_admin_all_resources? so that they worked properly with the API, related to #207950.

🛠 with at Siemens

Related to #42692 (closed)

/cc @reprazent @ifarkas @mushakov @bufferoverflow @max-wittig

Extra topics

  • It is possible to create an admin mode token on the admin preferences, without having to re-authenticate. Maybe that step should depend on reauthentication too at a later step?
  • Concerns about compatibility of previous admin tokens: activating the admin mode setting probably makes lots of previous admin tokens not usable. A good thing but would need to be properly announced.
  • Do OAuth tokens require some extra handling?
  • I wasn't aware of geo node tokens on ee/spec/requests/api/geo_nodes_spec.rb, seem unaffected by this change but would need verification.

Screenshots (strongly suggested)

image

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Diego Louzán

Merge request reports