Skip to content

Expose LDAP Override in API, add set and clear methods

Drew Blessing requested to merge dblessing-gl-override-api into master

What does this MR do?

Closes #4875 (closed)

Fix-up of community contribution originally in !4465 (closed). The MR has been around for quite some time (due to our own failings in the review process) and in the interest of getting the user's contirbution merged I'm fixing up a few minor things.

It is currently possible to override LDAP permissions from the GitLab web interface, but not from the GitLab API.

This MR adds a new GitLab API route which allows manipulation of the override member attribute. This makes it possible to override LDAP permissions from the GitLab API.

See #4875 (closed) for more details.

Are there points in the code the reviewer needs to double check?

  • I can't see a way to get around modifying lib/api/entities.rb to add the prepend -- this causes CI to fail

Why was this MR needed?

We have a need to script the override of LDAP permissions. While this is possible by screenscraping the web UI, this is not elegant and is likely to be more fragile in the future. (And was also broken by the token scope restriction in GitLab 11.5.1)

@davinwalker (EE support request #89929) has indicated that GitLab Inc would be open to extending the API to support this.

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Drew Blessing

Merge request reports