Allow Auditors to see the pipeline editor full configuration tab
What does this MR do and why?
Allow Auditors to see the pipeline editor full configuration tab
Fixes: #357329
How to set up and validate locally
- Create a new project. Let's call the project
ProjectA
. - Add a .gitlab-ci.yml to the project that includes a template. Eg.
include: - template: Security/Secret-Detection.gitlab-ci.yml
- Create an Auditor user.
- Ensure the Auditor user is not a member of
ProjectA
. - Login as the Auditor user, and navigate to
ProjectA
. - In the sidebar, we should be able to now navigate to
CI/CD
->Pipeline Editor
. - Go to the
Full configuration
tab. We should be able to see the full YAML configuration. - Check in the
Editor
tab, check we are not able to make a commit in the pipeline editor.
Note: The Validate function under the Validate
Tab does not work as expected, because it relies on the create_pipeline
policy, which we don't want to give to the auditor user on all projects.
See different sections of the code that check for create_pipeline
when trying to use that functionality:
- https://gitlab.com/gitlab-org/gitlab/-/blob/2d57e149c7b068d866cb12c0106ac8a331797d94/lib/api/lint.rb#L56
- https://gitlab.com/gitlab-org/gitlab/-/blob/2d57e149c7b068d866cb12c0106ac8a331797d94/lib/gitlab/ci/lint.rb#L47-60 and https://gitlab.com/gitlab-org/gitlab/-/blob/2d57e149c7b068d866cb12c0106ac8a331797d94/lib/gitlab/ci/pipeline/chain/validate/abilities.rb#L40-42
If this MR is merged, we should create a new issue to track fixing this at a later time.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Kenneth Chu