Limiting access to Prometheus Console to specific GitLab roles
Description
Currently with the OAuth2 authentication model in GitLab, there is no way to restrict access to a specific role within GitLab. This poses a challenge for Multi-User Prometheus, as it may be worthwhile to restrict authentications through the OAuth2 Proxy to just Developers and above, or perhaps just Administrators.
The reason for this, is that there could be installations of GitLab that allow anyone to sign up like GitLab.com, or have a very broad set of Reporters. If we were to enable these by default for all customers in a specific release, it could cause potential security problems unknowingly. One simple example, is we would not want access to the Prometheus console available in this manner for GitLab.com.
Proposal
Long term, we plan to have the Prometheus server that is packaged in Omnibus primarily be responsible for monitoring the GitLab server itself. Projects themselves would have their own dedicated Prometheus servers. In this deployment model, we would want the "GitLab Prometheus" server to be restricted to Administrators by default. This would allow us to be comfortable in enabling this for all customers without potentially opening up their server to attack unknowingly. Project specific Prometheus servers could then be limited to a specific role within that project, for example Developers. This provides a flexible and granular authentication model, as noted in #2, which works across both scenarios.
To accomplish this, we should:
- Add a flag in
gitlab.rbto control who should have access to the system-level Prometheus server. Default is "Administrators". - When adding a Prometheus server at the project level, ask for an access level for the console. Default is Owner.
Then, when a user is attempting to authenticate through the OAuth2 Proxy towards a specific Prometheus console, we should apply the proper role checks.