Skip to content

Add auditor access for group runners

Kent Japhet Ballon requested to merge auditor-enable-group-cicd-runners into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Closes #357328 (closed)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

auditor-enable-group-cicd-runners

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Switch to the master branch and visit GitLab in your browser. Login as an admin user and attempt to visit the runners in a group https://gitlab.example.com/groups/<GROUP>/-/runners. As an admin, you should be able to view this page.
  2. Impersonate an auditor account and attempt to visit https://gitlab.example.com/groups/<GROUP>/-/runners. As an auditor, you should see a 404. This is expected.
  3. Switch to the auditor-enable-group-cicd-runners branch.
  4. In the address bar, attempt to visit https://gitlab.example.com/groups/<GROUP>/-/runners. As an auditor, you should now be able to view this page.

Please note:

The Group CI/CD runners page also has a Register a group runner drop-down button that allows users to:

  1. See the runner installation and registration instructions.
  2. See the registration token.
  3. Reset the registration token.

As an auditor user, if you attempt to reset the registration token you will get this error message: The resource that you are attempting to access does not exist or you don't have permission to perform this action. This is expected because we want the auditor to have read permission only.

auditor-reset-registration-token

My MR in its current form does not consider the visibility of the "Register a group runner" button and the options under it. Moving forward, I think this can be addressed separately but it would be great to get some advice on the following:

  1. Should this button be visible in the first place?
  2. If yes, should all sections be visible or only specific ones (e.g. See the registration token)?
  3. If not, I'll probably need help on that.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Kent Japhet Ballon

Merge request reports