-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for GitLab groups #4001
Conversation
ba735e2
to
d2dc28a
Compare
d2dc28a
to
3123763
Compare
@jamengual hi, any chance this could make it into the next release? It would be really helpful for us at GitLab, and for all GitLab users. 🙏🏻 |
yes, we just need to review it |
One concern I have with this implementation is introducing more differences between the VCSs instead of unifying them. I wonder if you could instead piggyback on the existing Another related thought, I wonder if There's definitely a larger issue here about feature parity and options between the VCSs, so I don't want to bog us down too much on this particular PR, but just to say the fact that this is tricky is part of a larger problem and not the fault of this particular functionality. The last thing I'll say is that I'm a gitlab user, and the way we deal with this kind of issue is via Merge Request Approval Rules (https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html), which atlantis respects if the |
That wouldn't work nicely for the policy checks, as that would require instantiating a new client with a different set of groups for each project.
That works fine as an alternative for the command allowlist, but not for the policy check approvals. |
I'm not sure why; Just to clarify, is the reason we aren't simply listing all groups then calling "is member of" on each of them an efficiency thing? I understand only Admins can list full group membership for a user, but atlantis user could list every group that is visible to it, and we're already silently ignoring groups atlantis can't see, so it should be functionally the same, right? I'm not necessarily proposing that implementation, just making sure I understand the issue. Fundamentally it feels weird to me to pass into the function Re the reuse of |
I agree with you @lukemassa we can deprecate later. |
I guess we can do that, yes. 🤔
That might work on small private instances but certainly not on GitLab.com, you would hit the rate limit very quickly and even if you didn't it would take literal days to check every public group. 😄
Unless I missed something I think Atlantis can be configured to use both GitHub and GitLab at the same time, so you would still need 2 separate allowlists. In theory you could want to allowlist team |
Ah that's a good point. If we were to have some theoretic single flag that handled both of these, it would have to handle that somehow. I think here we should follow the rule of thumb of "don't try to make a generalized abstraction until you do something three times" :) If/when we do this for another VCS, at that point it will hopefully be obvious the cleanest way to do this.
Oh absolutely, my question was mostly about correctness. Basically that the list we're looking for is the intersection of "all groups user X is in" and "all groups atlantis can see". Your code does a further intersection, which is "all groups we might have policy around". Again, just making sure I understand the logic. |
@peikk0 @lukemassa, do we agree on an approach to process another review/code changes? |
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
You don't have to loop over all the groups, you can just loop over the configured ones, as you're doing now. I wrote up a PR fe1e359 (not to be merged just as demonstration, feel free to cherry-pick the commit if it helps. Not totally sure what happened with the generated mocks there might want to avoid those...). Performance wise this should be the same as yours, except that we loop over all teams for all commands, which I would imagine in practice is not a big issue. Again my main concern is changing the signature of the client interface for |
@peikk0 @lukemassa |
@peikk0 will have to address @lukemassa comment and try to see if the approach work to get to an agreement. |
@lukemassa OK that sounds good, it will also need to grab all groups from all configured policy sets on init. I'll update this PR next month as I'll be mostly AFK until then. |
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
Any thoughts when it will be merged? |
@andreilapkin I need to implement the suggestions above first. Sorry for the delays, been AFK most of last month. |
this is very important to me too. |
We are really looking forward to this opportunity, it is important for our team. |
This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month. |
Not stale, still on my todo list. |
edd2078
to
383a52c
Compare
Rebased and updated with the above suggestions, seems to be working great after a few tests. Happy holidays! |
Signed-off-by: Pierre Guinoiseau <pierre@guinoiseau.nz>
383a52c
to
cf84095
Compare
@lukemassa could you review this one last time? Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! I appreciate your dedication to this, and thanks for your contribution!
Signed-off-by: Simon Heather <32168619+X-Guardian@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
what
Add support for GitLab groups in the commmand allowlist and policy owners.
Unlike with GitHub, the GitLab API doesn't allow retrieving all group membership for a given user (unless you have admin access), so here instead we check in each configured group if the user is an active member of it.
why
tests
make test
ATLANTIS_GITLAB_GROUP_ALLOWLIST
and policy owners with one of my groups and then with a group I'm not a member of instead, then tried anatlantis plan
andatlantis approve_policies
in a merge request, and I was respectively allowed and denied in each case as expected.references
Closes #2549 #4799