Support admin mode on API requests
What does this MR do?
Add support for Admin Mode on API requests with Personal Access Tokens:
- Add a new token scope
admin_mode
- Make
sudo
scope depend onadmin_mode
Since there's ~90 specs affected, I have broken the MR using again the previous approach in !28420 (merged) to conditionally filter specs on spec_helper.rb
. We have another MR in Draft that builds on top of this one and tracks the migration: siemens/gitlab!44 (closed).
Also migrated more calls from User#admin?
to User#can_admin_all_resources?
so that they worked properly with the API, related to #207950.
Related to #42692 (closed)
/cc @reprazent @ifarkas @mushakov @bufferoverflow @max-wittig
Extra topics
-
It is possible to create an admin mode token on the admin preferences, without having to re-authenticate. Maybe that step should depend on reauthentication too at a later step? -
Concerns about compatibility of previous admin tokens: activating the admin mode setting probably makes lots of previous admin tokens not usable. A good thing but would need to be properly announced. -
Do OAuth tokens require some extra handling? -
I wasn't aware of geo node tokens on ee/spec/requests/api/geo_nodes_spec.rb
, seem unaffected by this change but would need verification.
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. -
I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team