Add read_group_runners group policy rule
What does this MR do and why?
Describe in detail what your merge request does and why.
This MR:
- adds the
read_group_runners
group policy rule and replaces existing logic that was falling back to the:admin_group
rule. Both are available only to group owners; - changes the level used for
register_group_runners
/admin_group_runners
(currently maintainer-level) so that they are not more permissive thanread_group_runners
(owner-level); - changes the copy in the project runners settings page so that it mentions 'group owners' instead of 'group maintainers', since group maintainers were never able to manage group runners.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
No functional changes should occur, this is only a change of rules that reuse the same permissions.
-
Log in as
root
user -
Visit http://gdk.localhost:3000/groups/gitlab-org/-/group_members
-
Ensure you have a non-admin user with
maintainer
access (e.g.josh
) -
Visit http://gdk.localhost:3000/gitlab-org. The
CI/CD -> Runners
nav menu item should be available: -
Ensure you can log in with
josh
. If you don't know the password for the user, you can reset it in the Rails console as follows:user = User.find_by_username 'josh'; user.password = user.password_confirmation = 'secret_pass'; user.save!
-
Log in as
josh
and visit http://gdk.localhost:3000/gitlab-org. TheCI/CD -> Runners
nav menu item should not be available:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Closes #349786 (closed)