I ran into what appears to be a bug with a GitLab 13.8.4 Premium setup. This project has a number of repositories (one per service) and a combined deployment job for the ones which are not yet containerized.
The layout looks like this, with a number of internal projects:
- app deployment: Ansible job which deploys onto the appropriate servers
Each of the services has protected branches which trigger app deployment for the same branch to deploy to the appropriate protected environment. This is implemented with
trigger: on the app deployment repo. The app deployment repo has a
trigger: block which runs the regression test suite.
For me (with admin permissions) this all worked. This morning a user got an error “trigger_regression_tests - failed - (no permissions to trigger downstream pipeline)” on the same pipeline I’d tested (service1 triggered app deployment successfully, app deployment got that error triggering regression tests). At first, I thought he just didn’t have permissions to merge to that branch but then I checked that he did and I impersonated him long enough to confirm that he had permissions to trigger the same pipelines on the same branches in the same projects.
This hits a larger topic of the permissions model being somewhat complicated when not everyone has full access to everything. We frequently hit situations where it’d be nice to say “user X can trigger pipelines on branch Y but not otherwise have much access to this project” and subscriptions can’t really be used since they require projects to be public and only support the default branch. I can use curl with a token, of course, but then I have to manage another secret and the UI isn’t as nice. I created Allow cross-project triggers for users without permissions (#276706) · Issues · GitLab.org / GitLab · GitLab 3 months ago for a separate reason but this would be another area where something like that would be useful both for improving security and making the relationships more obvious.