Skip to content

Add :create_runner API scope

Pedro Pombeiro requested to merge pedropombeiro/413040/add-create_runner-api-scope into master

What does this MR do and why?

This MR introduces a new :create_runner scope so that admins don't need to hand out full api tokens to team members who automate the runner registration. To do this, it performs 3 actions (1 per commit):

  1. Split out relevant POST /user/runners endpoint into a new file (needed so we can easily target the endpoint with the new scope)
  2. Introduce new scope
  3. Add scope to endpoint

Closes #413040 (closed)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Visit http://gdk.test:3000/gitlab-org/gitlab-shell/-/settings/access_tokens and create a project access token with Owner role and create_runner scope:

    image

  2. Use the generated token in the following command (replacing $GLPAT_TOKEN_WITH_CREATE_RUNNER_SCOPE):

    curl -X POST http://gdk.test:3000/api/v4/user/runners -H "private-token: $GLPAT_TOKEN_WITH_CREATE_RUNNER_SCOPE" -H 'content-type: application/json' -H 'accept: application/json, */*;q=0.5' -d '{"runner_type":"project_type","project_id":"3","description":"bot-runner","tag-list":"shell,gdk"}' | jq

    You should see a response such as:

    {"id":9307,"token":"glrt-xi1NoiaAMosxBUy9xi3G","token_expires_at":null}

  3. Try the same same steps but with a read_api and an api token scope. It should fail for read_api and succeed for api. The failure for read_api will look like this:

    {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"create_runner api read_api"}

  4. Try using a different project ID with the token created for project 3. You should see

    {"message":"403 Forbidden - Insufficient permissions"}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pedro Pombeiro

Merge request reports