Skip to content

Draft: Attach a custom user to each build

mo khan requested to merge mokhax/478108/ci-build-user into master

What does this MR do and why?

Currently, project owners can invite a user to a project with specific permissions using a custom role. This MR leverages this mechanism to bind a specific account to all CI jobs within a project by using a convention for looking up the user account. This approach allows for quick feedback to identify gaps in the existing custom permissions.

This immediate and temporary solution will help reduce the access currently granted through the CI_JOB_TOKEN.

When a new build is created, it searches for a specific user account based on a naming convention. If the user account is found, it is attached to the build, thereby restricting the CI_JOB_TOKEN to the permissions assigned to that account.

The convention for searching for a user is as follows:

  1. The user must be a direct member of the project.
  2. The username must match the pattern <project-name>-ci_user.

When a user is found matching this pattern, that user is used as the security principal for generating the CI_JOB_TOKEN.

#478108 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the :use_ci_user_account feature flag 
    Feature.enable(:use_ci_user_account)
  2. Create a group (e.g custom-roles-root-group)
  3. Create a project under that group (e.g. ci-job-token)
  4. Register a new user account with the username of <project-name>-ci_user. (e.g. ci-job-token-ci_user)
  5. Go to Project > Manage > Members and add the new user with a base role of Guest
  6. Add .gitlab-ci.yml to the project. 
    example:
  image: golang:latest
  timeout: 10m
  script:
    - sh ./bin/build
  7. Add bin/build 
    #!/bin/sh

set -e

cd "$(dirname "$0")/.."

env | sort

go install gitlab.com/gitlab-org/cli/cmd/glab@main

export GITLAB_HOST="$CI_SERVER_HOST"
export GITLAB_TOKEN="$CI_JOB_TOKEN"
export GITLAB_URI="$CI_SERVER_URL"
export NO_COLOR=1

glab user events --all
  8. Trigger a new pipeline
  9. Look at the job logs and look for GITLAB_USER_ID, GITLAB_USER_LOGIN, GITLAB_USER_NAME to verify that the job is using the guest user account.
  10. Update the bin/build script to make different api calls using glab to find gaps in permissions.
Edited by mo khan

Merge request reports