-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manage CI/CD job token scope allowlist #571
Comments
Thanks for the suggestion @nickgriffiths. What should the gitlabform config syntax look like? Can you post some proposals? Will you or any of your colleague be able to contribute this feature? |
I'm afraid I haven't given any thought to syntax, and I can't work on this myself at the moment, but I have privately flagged this to some colleagues to see if anyone might be interested in taking it on. |
Sounds good. Thanks @nickgriffiths |
Hi, I plan to take on this work after getting my head into using python-gitlab |
Related Gitlab Issues:
|
@amimas
Right now we'd be able to take Project nam, map to Project ID and invoke the REST endpoint (via python-gitlab) to add that Project In future, pending Gitlab Development, we can take Group name and invoke the endpoint (we might end up needing to map group name to group id) |
Questions I have, is how does Gitlabform handle fields where we coudl take either a group name or project name? |
Hi @TimKnight-DWP - Thank you for wanting to contribute this feature. Really appreciate the help. In terms of config syntax, here's what I'm thinking, although it's not too different from your proposal I believe. group-foo/project-abc:
project_settings:
# existing project settings related configs as-is
branches:
# existing branch protection related configs as-is
job_token_scope:
# new config proposal
enabled: ... # accepted values are `true` or `false`
allowlist:
enforce: .... # accepted values are `true` or `false`
projects:
- 123
- group-bar/project-xyz In the above sample, I think this new feature should be under a new key instead of Under Under Under I hope the above make sense. Please let us know if you have questions or suggestions. |
Actually... on second thought, this might have to be implemented as part of this. If job token scope is disabled, the following config would be invalid because you can't also add projects to allowlist, right? group-foo/project-abc:
job_token_scope:
enabled: false
allowlist:
projects:
- 123
- group-bar/project-xyz In the above config, I believe you can't add projects to the allowlist. Or is it the other way around (i.e. when Anyways, my point is, I think this has to be part of the implementation? What do you think? |
@amimas in GL 17 I don't think there will be an enable true/false option, simply there will be an allowlist, so we shouldn't have to worry about accounting for this, unless we want backwards compatibility to GL 16. At which point if If |
GL have implemented Group addition to allowlist via REST: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145069 So suspect similar API would be
or
I think the former, with separation of fields is better, matches the udnerlying API and I assumed will be a little easier to handle in the code logic |
FYI I'll probably be contributing into |
Thanks @TimKnight-DWP. Forgot that the boolean option is deprecated and expected to be removed in v17. As for a group being added to the allowlist, your first suggestion makes sense to me as well. |
@amimas - the Is there a way I can point a branch/fork of Gitlab Form to this fork of python-gl so I can develop in parallel, ready for a release with 16.10? |
Hi @TimKnight-DWP . I'm not well versed in python packaging yet. I think you need to update the version reference in setup.py here: Line 55 in dd58a7a
According to this article you can also point it to a github url but maybe that will still expect a package from there... https://python-packaging.readthedocs.io/en/latest/dependencies.html#packages-not-on-pypi |
I was looking at that setting in a project for work today. There're 2 settings. One is called "limit access to this project". The 2nd one is called "limit access from this project". To me it seems the deprecation is for the 2nd option. So the firat boolean setting will still stay I think? Could you confirm @TimKnight-DWP . |
@amimas yes you're right, that's my reading of the deprecation notices too. Let's call the first boolean |
Nevermind, they swap between terminology throughout the API and UI for this setting 🙈 ..... In PATCH https://docs.gitlab.com/ee/api/project_job_token_scopes.html#patch-a-projects-cicd-job-token-access-settings, it's "enabled" true/false:
(my reading is that, true = Limit Access to project is on) In GET https://docs.gitlab.com/ee/api/project_job_token_scopes.html#get-a-projects-cicd-job-token-access-settings, it's
(my reading would be true = Limit Access to project is off) |
I've tested it, spoken to our contact at Gitlab (the benefits of working somewhere with Ultimate license), and raised an MR to clarify Gitlab's REST api documentation based on what I found out: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146763 |
Thanks for digging into that boolean setting. Hopefully things get clarified.
Too bad GitLab has 2 different terms for it in their API (i.e. |
Yes, that was just me stream of thoughting into the comments :D |
@amimas @nickgriffiths changes to support this are here: TimKnight-DWP#1 Currently on my fork only because I need to point at my fork of python-gitlab to pick up that part of the chain. Everything is capable of being merged when gitlab 16.10 gets released, so I'll update the MR to point back to mainline python-gitlab when this MR goers in python-gitlab/python-gitlab#2816. However a review of the proposed changes would be great if possible :) |
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
- Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes gitlabform#571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
feat: support CI/CD job token scope api - Job Token access enable/disable - Group and Project job token allowlist support REST API documentation: https://docs.gitlab.com/ee/api/project_job_token_scopes.html Closes #571 Signed-off-by: Tim Knight <tim.knight1@engineering.digital.dwp.gov.uk>
It would be great to be able to use GitLabForm to configure the allowlist of projects that are can use a project's
CI_JOB_TOKEN
.https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#configure-cicd-job-token-access
The API for this is https://docs.gitlab.com/ee/api/project_job_token_scopes.html
The text was updated successfully, but these errors were encountered: