Add user_identities to JWTs used by CI/CD jobs
Problem statement
As an instance administrator, I want to ensure that shared GitLab runners are only used by users who have permission to execute on them.
Proposed solution
Add a user_identities
field to JWT V2 payloads when the GitLab instance is configured to do so. The user_identities
field will contain the first 5 identities stored for the user. In FOSS, each user identity in the payload will have the structure:
{
"extern_uid": "1",
"provider": "gitlab"
}
In EE, each user identity will additionally have a secondary_extern_uid
field:
{
"extern_uid": "1",
"provider": "gitlab",
"secondary_extern_uid": "1A"
}
The presence of the user_identities
field in the JWT V2 payload will be determined by a toggle at the instance level. The toggle will default to false
, meaning the user_identities
field will not be present by default. The toggle value will be update-able via an API endpoint which instance administrators have permission to use.
Implementation table
Title | MR Link | Done? |
---|---|---|
Add toggle for enabling user_identities to database/models |
!108477 (merged) | |
Add user_identities field to JwtV2
|
!117541 (merged) | |
Add API for changing the toggle | !117874 (merged) | |
Document the new field | !118231 (merged) |