Allow overrides for cascading settings
What does this MR do and why?
Allow overrides for cascading settings
For some features relying on cascading settings, customers would like
the ability to allow/block list certain projects such that regardless of
the state of the setting in the group or instance, those projects always
have the specified value. We implement this through a new model,
CascadingSettingOverride
, which stores those overrides. The overrides
can be associated to a root namespace, so that the setting can be
changed by root group admins, or not have a namespace association, in
which case it will work as an instance-level override.
Closes #441532
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Since there's currently no interface, the easiest way to validate these settings is via a rails console
the following way:
- Update the instance setting:
ApplicationSetting.current.update(duo_features_enabled: false)
- Update the group setting:
Group.find_by_full_path('gitlab-org').namespace_settings.update(duo_features_enabled: false)
- Update the project setting:
Project.find_by_full_path('gitlab-org/gitlab-shell').update(duo_features_enabled: true)
- Create a namespace-scoped override:
CascadingSettingOverride.create!(namespace: Group.find_by_full_path('gitlab-org'), project: Project.find_by_full_path('gitlab-org/gitlab-shell'), duo_features_enabled: true)
- Create a global override:
CascadingSettingOverride.create!(project: Project.find_by_full_path('gitlab-org/gitlab-shell', duo_features_enabled: true)
You can play around with these value. The priority order should be (from most to least important):
- Global override
- Namespace-scoped override
- Project setting (depending on if it's locked by the group)
- Group setting (depending on if it's locked by the instance)
- Instance setting