Ability to modify default trust settings for org? #4875
Comments
|
As discussed in matrix, this is not possible right now. However, would be a nice enhancement. Also from the chat:
I would be fine if this gets implemented as org/user setting that can be configured via UI/API/CLI. |
Thanks for the response here - and apologies if it looks like I re-asked. I posted here first and got a reply in matrix shortly after. I'd love to look into getting involved and seeing if I can make this change! How do we expect this to look? Should it be a repositories tab within an org/repo? It needs to be explicit that it's an org wide config Edit: just want to also bring up a quick back and forth I had in #4025 where it was shared that these would eventually become agent settings? Is that the current plan for the trusted settings? |
|
This should be added as an agent option after #4675 was merged. So I think this PR should get done first and then we can extend the feature |
|
Sorry I don't have much context, but why do we want to migrate these settings to agent settings? And I can then not control it per repo anymore? An agent would have e.g. |
I'm not sure - I asked the question in the separate thread trying to get some elaboration myself. I think either paradigm can work - the settings can be applied to an agent and orgs can take a default agent, or orgs can set default repo configs. I'd like some clarity myself before I work one way or the other. |
For the discussion, see #3758 This came up when we introduced user-registered agents. Then you might have a user agent and would like to give your (trusted) repo additional privileges, but you cannot long as you are not the server admin.
No, in your agent configuration you define which repos have trusted access. The pipelines from this repo executed by the agent then get privileged access, but the other ones don't.
Before you start, please wait for the linked PR. |
|
I see, thanks.
What about companies where the IT team hosts a shared setup? Repo owners won't have access to the agent config and letting the IT team add every repo to agents config might not scale. I understand the general idea, but this could lead to other issues IMO. |
|
In this scenario, would you give server admin access to any repo owner that needs trusted access? Otherwise they would not be able to enable trusted access for a specific repo. |
|
Thats exactly my point. Repo owner can enabled it in the UI on their own while they cant anymore on the agents. |
|
Yes, but repo owners can only do so if they have server admin rights (not repo admin rights, but admin for the full wp server). If I have a separate IT team I wouldn't give server admin access to all of the repo owners. |
|
Oh ok in that case it doesnt matter where this configuration is done. |
For private intranet instances, is it possible to make it so repos have default trust settings for VOLUMES and NETWORK to true?
The text was updated successfully, but these errors were encountered: