Ability to configure fine grained access controls per project
Currently, i create my entire gitlab setup using terraform such that i have subgroups and projects. My projects publish packages into their projects package registry and i wish to enable any project within a specific sub-group to be able to read_packages
- Gitlab Top Level Group
- subgroup A
- subgroup B
- project 1
- project 2
- ....
- subgroup C
- project 3
- project 4
- ...
- subgroup B
- subgroup A
Via the UI, i observed that it is possible to configure granular permissions at the project level, and i tested this out such that:
- subgroup A could
read_packagesfrom project 1- Initially by adding
read_packagesit broke project 1' pipelines ability towrite_packagesandread_jobs(so i had to explicitly add project 1 to itself for those permissions)
- Initially by adding
I observed that the gitlab provider currently supports project_job_token_scope and project_job_token_scopes , but both of these lack the ability to configure granular permissions.
It would be amazing to be able to configure the above permissions because i want to ensure that a given package registry is only writable by the project that it belongs to, but can be consumed by other projects within a group (i can see the API supports it so i'm likely to break out to the API within terraform for now as all information such as project_id and namespace_id are available on gitlab_project
I'm linking the feedback issue here because i'm wanting to at least check that granular permissions are working as intended here: gitlab#519575