GitLab "Groups" for permissions only?
-
I have a many repos all of which can be edited by a different "Senior Review Group" group. https://devops.stackexchange.com/questions/16177/does-gitlab-support-assigning-a-reviewer-based-on-the-contributor Should I use the GitLab Group functionality to assign reviewers are say who can merge? Or should I create external tooling around this?
A big concern I have is that a Group in GitLab seems to be focused on Development. But for example a "Senior Review Group" will never produce code.
-
I have followed this pattern in the past for LDAP synchronisation, where a "permission" group was synched with LDAP and then invited into a "projects" group with a specific role.
This used the https://docs.gitlab.com/ee/administration/auth/ldap/ldap_synchronization.html feature.
There are a few benefits over adding users directly:
- you can manage identities exclusively in the IdP (e.g. Active Directory) - onboarding/offboarding/privilege escalation all done from the IdP.
- You make simple declarative statements about which (user) groups need to be in which (project) groups, with given roles.
- This makes it easier to think about the authn/authz model and indeed makes it feasible to write declarative infrastructure as code for the configuration of the projects themselves -- which group can merge, which branches are protected, etc.
On the topic of a "senior review" group which will never produce code - I agree this is a tricky permission to model. You want someone who can approve merge requests and perhaps merge them (thereby effectively making a commit and therefore "producing code" however). However, it's called privilege escalation, when what you want is true role-based authorization. I'm not sure you can do that yet with Gitlab.
