Include group authorized agents in allowed agents
What does this MR do?
Includes group-level authorized agents in the allowed_agents
API response.
Currently an Agent can only be used by CI jobs that are running in the Agent's configuration project. However, an agent can be configured to allow access at the group level, and these groups are not currently considered when generating the list of allowed agents.
When an Agent is configured to allow access from a group, it becomes available to all projects within that group and subgroups. If a project would have access to the same Agent through multiple groups due to authorizations at multiple levels in the hierarchy, the authorization closest to the project (the lowest level) is used.
An Agent is only available if it shares a root ancestor with the requesting project (we must include this rule in the finder query in case a project/group has been moved since the agent was configured).
Screenshots or Screencasts (strongly suggested)
How to setup and validate locally (strongly suggested)
Database review
Group authorized agents aren't in use yet so there are currently no agent_group_authorizations
records. Each Agent can authorize a maximum of 100 groups (and would typically authorize <10 under normal use), so the total number of records searched will usually be low.
Example query for gitlab-org/gitlab
:
https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/6467/commands/22171
Does this MR meet the acceptance criteria?
Conformity
- [-] I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
- [-] I have added/updated documentation, or it's not needed. (Is documentation required?)
-
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) - [-] I have tested this MR in all supported browsers, or it's not needed.
- [-] I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related to #323708 (closed)