Skip to content

Allow adding service accounts to LDAP-synced groups

What does this MR do and why?

See 425947 for details.

Allows adding service account users to groups even when LDAP sync is enabled. To do this, we make some major changes:

  • Add a new permission: :admin_service_account_members ; this way we can check for group admin permissions even when those have been mostly disabled by setting the group to LDAP syncing
  • Check the new permission in group-member create & destroy services, only when the user specified by the membership is a service account
  • Remove multiple layers of duplicative permission checking from the API and group-member create services

TODO's & Open questions:

  • Add more robust testing for all layers, if this approach is deemed feasible
  • Will service accounts be removed from groups by the LDAP sync background job? Based on my reading of this line in the group sync service, and some testing locally, it appears service accounts are left alone when a group syncs members to LDAP groups
  • Do we need to ensure that service account memberships can be updated / deleted by group owners? Or should this be a separate MR? Based on local testing, group owners can adjust permissions of non-LDAP members.
  • Removing service account members from LDAP-synced groups is not possible in the UI, and gets a 403 in the API. This may need to be adjusted to ship this change. A workaround would be to change the access expiry for the service account to "ASAP" , but this may not be sufficient.

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Set up a group
  2. Create a service account for the group
  3. Create a sub-group
  4. Enable LDAP sync for the sub-group
  5. Add the service account to the sub-group using the "invite" dialogue

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Evans

Merge request reports

Loading