root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-01-05 06:14:27 +00:00
parent 77f4cd207c
commit 309dbdc495
21 changed files with 238 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/assets/javascripts/entrypoints/analytics.js
View File

@ -13,6 +13,10 @@ if (appId && host) {
performanceTiming: false,
errorTracking: false,
},
pagePingTracking: {
minimumVisitLength: 10,
heartbeatDelay: 10,
},
});
const userId = window.gl?.snowplowStandardContext?.data?.user_id;

7
app/assets/javascripts/packages_and_registries/container_registry/explorer/components/details_page/details_header.vue
View File

@ -142,7 +142,12 @@ export default {
</template>
<template v-if="formattedSize" #metadata-size>
<metadata-item icon="disk" :text="formattedSize" data-testid="image-size" />
<metadata-item
icon="disk"
:text="formattedSize"
:text-tooltip="s__('ContainerRegistry|Includes both tagged and untagged images')"
data-testid="image-size"
/>
</template>
<template #metadata-cleanup>

8
app/assets/stylesheets/framework/top_bar.scss
View File

@ -5,14 +5,16 @@
.top-bar-fixed {
@include gl-inset-border-b-1-gray-100;
background-color: $body-bg;
left: var(--application-bar-left);
position: fixed;
left: var(--application-bar-left);
right: var(--application-bar-right);
top: $calc-application-bars-height;
width: auto;
width: calc(100% - var(--application-bar-left));
z-index: $top-bar-z-index;
@media (prefers-reduced-motion: no-preference) {
transition: left $gl-transition-duration-medium, right $gl-transition-duration-medium;
transition: left $gl-transition-duration-medium,
right $gl-transition-duration-medium,
width $gl-transition-duration-medium;
}
}

5
app/assets/stylesheets/page_bundles/issuable.scss
View File

@ -105,8 +105,3 @@
@include gl-font-weight-normal;
}
}
[data-page="projects:issues:show"] .top-bar-fixed,
[data-page="groups:epics:show"] .top-bar-fixed {
width: 100%;
}

6
db/docs/achievements.yml
View File

@ -7,4 +7,8 @@ feature_categories:
description: Achievements which can be created by namespaces to award them to users
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/105871
milestone: '15.7'
gitlab_schema: gitlab_main
gitlab_schema: gitlab_main_cell
sharding_key:
namespace_id: namespaces
allow_cross_joins:
- gitlab_main_clusterwide # TODO: Exists just for example in specs

2
db/docs/activity_pub_releases_subscriptions.yml
View File

@ -11,3 +11,5 @@ milestone: '16.6'
gitlab_schema: gitlab_main_cell
sharding_key:
project_id: projects
allow_cross_transactions:
- gitlab_main_clusterwide # TODO: Exists just for example in specs

6
db/docs/agent_group_authorizations.yml
View File

@ -7,4 +7,8 @@ feature_categories:
description: Configuration for a group that is authorized to use a particular cluster agent
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68023
milestone: '14.3'
gitlab_schema: gitlab_main
gitlab_schema: gitlab_main_cell
sharding_key:
group_id: namespaces
allow_cross_foreign_keys:
- gitlab_main_clusterwide # TODO: Exists just for example in specs

15
db/post_migrate/20240104091627_validate_foreign_key_ci_build_trace_metadata.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
class ValidateForeignKeyCiBuildTraceMetadata < Gitlab::Database::Migration[2.2]
milestone '16.8'
FK_NAME = :fk_21d25cac1a_p
def up
validate_foreign_key(:ci_build_trace_metadata, [:partition_id, :trace_artifact_id], name: FK_NAME)
end
def down
# Can be safely a no-op if we don't roll back the inconsistent data.
end
end

15
db/post_migrate/20240104091858_validate_foreign_key_ci_job_artifact_state.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
class ValidateForeignKeyCiJobArtifactState < Gitlab::Database::Migration[2.2]
milestone '16.8'
FK_NAME = :fk_rails_80a9cba3b2_p
def up
validate_foreign_key(:ci_job_artifact_states, [:partition_id, :job_artifact_id], name: FK_NAME)
end
def down
# Can be safely a no-op if we don't roll back the inconsistent data.
end
end

1
db/schema_migrations/20240104091627 Normal file
View File

@ -0,0 +1 @@
90614e8c6d73455b96dc7c4652b529ffa844d704fe8e7729e97b4ac557edb423

1
db/schema_migrations/20240104091858 Normal file
View File

@ -0,0 +1 @@
991849159d57b5bd6d0d0d671f766c715b23a8e04c3130e56e2b6a05a27f49d6

4
db/structure.sql
View File

@ -37468,7 +37468,7 @@ ALTER TABLE ONLY ci_build_trace_metadata
ADD CONSTRAINT fk_21d25cac1a FOREIGN KEY (trace_artifact_id) REFERENCES ci_job_artifacts(id) ON DELETE CASCADE;
ALTER TABLE ONLY ci_build_trace_metadata
ADD CONSTRAINT fk_21d25cac1a_p FOREIGN KEY (partition_id, trace_artifact_id) REFERENCES ci_job_artifacts(partition_id, id) ON UPDATE CASCADE ON DELETE CASCADE NOT VALID;
ADD CONSTRAINT fk_21d25cac1a_p FOREIGN KEY (partition_id, trace_artifact_id) REFERENCES ci_job_artifacts(partition_id, id) ON UPDATE CASCADE ON DELETE CASCADE;
ALTER TABLE ONLY users_star_projects
ADD CONSTRAINT fk_22cd27ddfc FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
@ -39406,7 +39406,7 @@ ALTER TABLE ONLY ci_job_artifact_states
ADD CONSTRAINT fk_rails_80a9cba3b2 FOREIGN KEY (job_artifact_id) REFERENCES ci_job_artifacts(id) ON DELETE CASCADE;
ALTER TABLE ONLY ci_job_artifact_states
ADD CONSTRAINT fk_rails_80a9cba3b2_p FOREIGN KEY (partition_id, job_artifact_id) REFERENCES ci_job_artifacts(partition_id, id) ON UPDATE CASCADE ON DELETE CASCADE NOT VALID;
ADD CONSTRAINT fk_rails_80a9cba3b2_p FOREIGN KEY (partition_id, job_artifact_id) REFERENCES ci_job_artifacts(partition_id, id) ON UPDATE CASCADE ON DELETE CASCADE;
ALTER TABLE ONLY approval_merge_request_rules_users
ADD CONSTRAINT fk_rails_80e6801803 FOREIGN KEY (approval_merge_request_rule_id) REFERENCES approval_merge_request_rules(id) ON DELETE CASCADE;

4
doc/ci/yaml/index.md
View File

@ -303,7 +303,9 @@ include:
A `not found or access denied` error may be displayed if the user does not have access to any of the included files.
- Be careful when including another project's CI/CD configuration file. No pipelines or notifications trigger when CI/CD configuration files change.
From a security perspective, this is similar to pulling a third-party dependency. For the `ref`, consider:
- Using a specific SHA hash, which should be the most stable option.
- Using a specific SHA hash, which should be the most stable option. Use the
full 40-character SHA hash to ensure the desired commit is referenced, because
using a short SHA hash for the `ref` might be ambiguous.
- Applying both [protected branch](../../user/project/protected_branches.md) and [protected tag](../../user/project/protected_tags.md#prevent-tag-creation-with-the-same-name-as-branches) rules to
the `ref` in the other project. Protected tags and branches are more likely to pass through change management before changing.

16
doc/development/permissions/custom_roles.md
View File

@ -183,21 +183,17 @@ security dashboard.
To add a new ability to a custom role:
- Generate YAML file by running `./ee/bin/custom-ability` generator
- Add a new column to `member_roles` table, for example in [this change in merge request 114734](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114734/diffs#diff-content-5c53d6f1c29a272a87eecea3f62d017ab6635275).
- Add the ability to the `MemberRole` model, `ALL_CUSTOMIZABLE_PERMISSIONS` hash, for example in [this change in merge request 121534](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121534/diffs#ce5ec769500a53ce2b603467d9984fc2b33ca71d_8_8). There are following possible keys in the `ALL_CUSTOMIZABLE_PERMISSIONS` hash:
- `description` - description of the ability.
- `minimal_level` - minimal level a user has to have in order to be able to be assigned to the ability.
- `requirement` - required ability for the ability defined in the hash, in case the requirement is `false`, the ability can not be `true`.
- Add a new column to `member_roles` table, either manually or by running `custom_roles:code` generator, eg. by running `rails generate gitlab:custom_roles:code --ability new_ability_name`. The ability parameter is case sensitive and has to exactly match the permission name from the YAML file.
- Add the ability to the respective Policy for example in [this change in merge request 114734](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114734/diffs#diff-content-edcbe28bdecbd848d4d9efdc5b5e9bddd2a7299e).
- Update the specs.
- Update the specs. Don't forget to add a spec to `ee/spec/requests/custom_roles` - the spec template file was generated if you used the code generator
Examples of merge requests adding new abilities to custom roles:
- [Read code](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106256)
- [Read vulnerability](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114734)
- [Admin vulnerability](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121534) - this is the newest MR implementing a new custom role ability. Some changes from the previous MRs are not necessary anymore (such as a change of the Preloader query or adding a method to `User` model).
- [Admin vulnerability](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121534)
The above merge request don't use YAML files and code generators. Some of the changes are not needed anymore. We will update the documentation once we have a permission implemented using the generators.
You should make sure a new custom roles ability is under a feature flag.
@ -222,7 +218,7 @@ To add a new custom ability:
| `description` | yes | Human-readable description of the custom ability. |
| `feature_category` | yes | Name of the feature category. For example, `vulnerability_management`. |
| `introduced_by_issue` | yes | Issue URL that proposed the addition of this custom ability. |
| `introduced_by_mr` | yes | MR URL that added this custom ability. |
| `introduced_by_mr` | no | MR URL that added this custom ability. |
| `milestone` | yes | Milestone in which this custom ability was added. |
| `group_ability` | yes | Indicate whether this ability is checked on group level. |
| `project_ability` | yes | Indicate whether this ability is checked on project level. |

15
lib/gitlab/database/dictionary.rb
View File

@ -3,6 +3,8 @@
module Gitlab
module Database
class Dictionary
ALL_SCOPES = ['', 'views', 'deleted_tables'].freeze
def self.entries(scope = '')
@entries ||= {}
@entries[scope] ||= Dir.glob(dictionary_path_globs(scope)).map do |file_path|
@ -12,6 +14,15 @@ module Gitlab
end
end
def self.any_entry(name)
ALL_SCOPES.each do |scope|
e = entry(name, scope)
return e if e
end
nil
end
def self.entry(name, scope = '')
entries(scope).find do |entry|
entry.key_name == name
@ -69,6 +80,10 @@ module Gitlab
data['classes']
end
def allow_cross_to_schemas(type)
data["allow_cross_#{type}"].to_a.map(&:to_sym)
end
def schema?(schema_name)
gitlab_schema == schema_name.to_s
end

83
lib/gitlab/database/gitlab_schema_info.rb
View File

@ -2,11 +2,6 @@
module Gitlab
module Database
GitlabSchemaInfoAllowCross = Struct.new(
:specific_tables,
keyword_init: true
)
GitlabSchemaInfo = Struct.new(
:name,
:description,
@ -20,9 +15,12 @@ module Gitlab
def initialize(*)
super
self.name = name.to_sym
self.allow_cross_joins = convert_array_to_hash(allow_cross_joins)
self.allow_cross_transactions = convert_array_to_hash(allow_cross_transactions)
self.allow_cross_foreign_keys = convert_array_to_hash(allow_cross_foreign_keys)
self.allow_cross_joins = add_table_specific_allows(
:joins, convert_array_to_hash(allow_cross_joins))
self.allow_cross_transactions = add_table_specific_allows(
:transactions, convert_array_to_hash(allow_cross_transactions))
self.allow_cross_foreign_keys = add_table_specific_allows(
:foreign_keys, convert_array_to_hash(allow_cross_foreign_keys))
end
def self.load_file(yaml_file)
@ -31,35 +29,37 @@ module Gitlab
end
def allow_cross_joins?(table_schemas, all_tables)
allowed_schemas = allow_cross_joins || {}
allowed_for?(allowed_schemas, table_schemas, all_tables)
allowed_for?(allow_cross_joins, table_schemas, all_tables)
end
def allow_cross_transactions?(table_schemas, all_tables)
allowed_schemas = allow_cross_transactions || {}
allowed_for?(allowed_schemas, table_schemas, all_tables)
allowed_for?(allow_cross_transactions, table_schemas, all_tables)
end
def allow_cross_foreign_keys?(table_schemas, all_tables)
allowed_schemas = allow_cross_foreign_keys || {}
allowed_for?(allowed_schemas, table_schemas, all_tables)
allowed_for?(allow_cross_foreign_keys, table_schemas, all_tables)
end
private
def allowed_for?(allowed_schemas, table_schemas, all_tables)
# Take all the schemas in the query and remove the current schema and all the allowed schemas. If there is
# anything left then it's not allowed. Then we even if there is nothing left we continue to verify
# `specific_tables` used in the allowed schemas.
denied_schemas = table_schemas - [name]
denied_schemas -= allowed_schemas.keys
return false unless denied_schemas.empty?
# Additional validation for specific_tables. We should validate that if `specific_tables` is set then we will
# need all the tables to be in the the allowed specific_tables
all_tables.all? do |table|
table_schema = ::Gitlab::Database::GitlabSchema.table_schema!(table)
allowed_tables = allowed_schemas[table_schema]
allowed_tables.nil? || allowed_tables.specific_tables.include?(table)
# If specific tables key is nil? (not present) then we assume all tables are allowed and return true Otherwise
# we check every table in the current query is in specific_tables list
allowed_tables.nil? ||
allowed_tables[:specific_tables].include?(table)
end
end
@ -72,7 +72,7 @@ module Gitlab
#
# To:
# { :schema_a => nil,
# :schema_b => { specific_tables : [:table_b_of_schema_b, :table_c_of_schema_b] }
# :schema_b => { specific_tables : ['table_b_of_schema_b', 'table_c_of_schema_b'] }
# }
#
def convert_array_to_hash(subject)
@ -81,15 +81,58 @@ module Gitlab
subject&.each do |item|
if item.is_a?(Hash)
item.each do |key, value|
result[key.to_sym] = GitlabSchemaInfoAllowCross.new(value || {})
result[key.to_sym] = { specific_tables: value[:specific_tables].to_set }
end
else
result[item.to_sym] = nil
end
end
result
end
# This method loops over all the `db/docs` files for every table and injects any
# allow_cross_joins/allow_cross_transactions/allow_cross_foreign_keys into the specific_tables lists for the
# current schema.
def add_table_specific_allows(type, schema_allows)
result = schema_allows
all_table_allows(type).each do |schema_from, tables|
# Preserve the meaning of `nil` as defined in convert_array_to_hash as a nil value means that we allow all
# tables
next if result.key?(schema_from) && result[schema_from].nil?
# Now we add the table to the specific_tables list because this table specifies it is allowed in this schema
result[schema_from] ||= { specific_tables: Set.new }
result[schema_from][:specific_tables] += tables
end
result.freeze
end
# For the given type we iterate over all db/docs files build a Hash like:
#
# {
# gitlab_main_cell: ['table_a', 'table_b']
# }
#
# This specifies that in the `gitlab_main_cell` schema the 'table_a` and `table_b` tables are allowing cross
# queries with the current schema
def all_table_allows(type)
@all_table_allows ||= {}
@all_table_allows[type] ||= begin
result = {}
::Gitlab::Database::Dictionary.entries.each do |entry|
allowed_schemas = entry.allow_cross_to_schemas(type)
allowed_schemas.each do |schema|
# In the context of this GitlabSchemaInfo we only need the tables that have allowed this schema
next unless schema == name
result[entry.gitlab_schema.to_sym] ||= []
result[entry.gitlab_schema.to_sym] << entry.key_name
end
end
result
end
end
end
end
end

3
locale/gitlab.pot
View File

@ -13473,6 +13473,9 @@ msgstr ""
msgid "ContainerRegistry|Image tags"
msgstr ""
msgid "ContainerRegistry|Includes both tagged and untagged images"
msgstr ""
msgid "ContainerRegistry|Invalid tag: missing manifest digest"
msgstr ""

3
spec/db/docs_spec.rb
View File

@ -17,6 +17,9 @@ RSpec.shared_examples 'validate dictionary' do |objects, directory_path, require
schema_inconsistencies
sharding_key
desired_sharding_key
allow_cross_joins
allow_cross_transactions
allow_cross_foreign_keys
]
end

1
spec/frontend/packages_and_registries/container_registry/explorer/components/details_page/details_header_spec.js
View File

@ -207,6 +207,7 @@ describe('Details Header', () => {
expect(findSize().props()).toMatchObject({
icon: 'disk',
text: numberToHumanSize(size),
textTooltip: 'Includes both tagged and untagged images',
});
});
});

52
spec/lib/gitlab/database/dictionary_spec.rb
View File

@ -24,6 +24,25 @@ RSpec.describe Gitlab::Database::Dictionary, feature_category: :database do
end
end
describe '.any_entry' do
it 'loads an entry from any scope' do
expect(described_class.any_entry('ci_pipelines')).to be_present # Regular table
expect(described_class.any_entry('audit_events_archived')).to be_present # Deleted table
expect(described_class.any_entry('postgres_constraints')).to be_present # View
expect(described_class.any_entry('not_a_table_ever')).to be_nil
end
end
describe '.entry' do
it 'loads an Entry from the given scope' do
expect(described_class.entry('ci_pipelines')).to be_present # Regular table
expect(described_class.entry('audit_events_archived')).not_to be_present # Deleted table
expect(described_class.entry('postgres_constraints')).not_to be_present # Deleted table
expect(described_class.entry('audit_events_archived', 'deleted_tables')).to be_present # Deleted table
expect(described_class.entry('postgres_constraints', 'views')).to be_present # View
end
end
describe '::Entry' do
subject(:database_dictionary) { described_class::Entry.new(file_path) }
@ -80,6 +99,39 @@ RSpec.describe Gitlab::Database::Dictionary, feature_category: :database do
expect { database_dictionary.validate! }.to raise_error(Gitlab::Database::GitlabSchema::UnknownSchemaError)
end
end
context 'with allow_cross_joins' do
let(:file_path) { 'db/docs/achievements.yml' }
describe '#allow_cross_to_schemas' do
it 'returns the list of allowed schemas' do
expect(database_dictionary.allow_cross_to_schemas(:joins))
.to contain_exactly(:gitlab_main_clusterwide)
end
end
end
context 'with allow_cross_transactions' do
let(:file_path) { 'db/docs/activity_pub_releases_subscriptions.yml' }
describe '#allow_cross_to_schemas' do
it 'returns the list of allowed schemas' do
expect(database_dictionary.allow_cross_to_schemas(:transactions))
.to contain_exactly(:gitlab_main_clusterwide)
end
end
end
context 'with allow_cross_foreign_keys' do
let(:file_path) { 'db/docs/agent_group_authorizations.yml' }
describe '#allow_cross_to_schemas' do
it 'returns the list of allowed schemas' do
expect(database_dictionary.allow_cross_to_schemas(:foreign_keys))
.to contain_exactly(:gitlab_main_clusterwide)
end
end
end
end
context 'for a view' do

56
spec/lib/gitlab/database/gitlab_schema_spec.rb
View File

@ -217,17 +217,19 @@ RSpec.describe Gitlab::Database::GitlabSchema, feature_category: :database do
describe '.cross_joins_allowed?' do
where(:schemas, :tables, :result) do
%i[] | %i[] | true
%i[gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_internal] | %i[] | false
%i[gitlab_main gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_shared] | %i[] | true
%i[gitlab_main_clusterwide gitlab_shared] | %i[] | true
%i[] | %w[] | true
%i[gitlab_main] | %w[evidences] | true
%i[gitlab_main_clusterwide gitlab_main] | %w[users evidences] | true
%i[gitlab_main_clusterwide gitlab_ci] | %w[users ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_ci] | %w[users evidences ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_internal] | %w[users schema_migrations] | false
%i[gitlab_main gitlab_ci] | %w[evidences schema_migrations] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_shared] | %w[users evidences detached_partitions] | true
%i[gitlab_main_clusterwide gitlab_shared] | %w[users detached_partitions] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users namespaces] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[plans namespaces] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users achievements] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users activity_pub_releases_subscriptions] | false
end
with_them do
@ -237,17 +239,19 @@ RSpec.describe Gitlab::Database::GitlabSchema, feature_category: :database do
describe '.cross_transactions_allowed?' do
where(:schemas, :tables, :result) do
%i[] | %i[] | true
%i[gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_internal] | %i[] | true
%i[gitlab_main gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_shared] | %i[] | true
%i[gitlab_main_clusterwide gitlab_shared] | %i[] | true
%i[] | %w[] | true
%i[gitlab_main] | %w[evidences] | true
%i[gitlab_main_clusterwide gitlab_main] | %w[users evidences] | true
%i[gitlab_main_clusterwide gitlab_ci] | %w[users ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_ci] | %w[users evidences ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_internal] | %w[users schema_migrations] | true
%i[gitlab_main gitlab_ci] | %w[evidences ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_main gitlab_shared] | %w[users evidences detached_partitions] | true
%i[gitlab_main_clusterwide gitlab_shared] | %w[users detached_partitions] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users namespaces] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[plans namespaces] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users achievements] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users activity_pub_releases_subscriptions] | true
end
with_them do
@ -257,15 +261,17 @@ RSpec.describe Gitlab::Database::GitlabSchema, feature_category: :database do
describe '.cross_foreign_key_allowed?' do
where(:schemas, :tables, :result) do
%i[] | %i[] | false
%i[gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_main] | %i[] | true
%i[gitlab_main_clusterwide gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_internal] | %i[] | false
%i[gitlab_main gitlab_ci] | %i[] | false
%i[gitlab_main_clusterwide gitlab_shared] | %i[] | false
%i[] | %w[] | false
%i[gitlab_main] | %w[evidences] | true
%i[gitlab_main_clusterwide gitlab_main] | %w[users evidences] | true
%i[gitlab_main_clusterwide gitlab_ci] | %w[users ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_internal] | %w[users schema_migrations] | false
%i[gitlab_main gitlab_ci] | %w[evidences ci_pipelines] | false
%i[gitlab_main_clusterwide gitlab_shared] | %w[users detached_partitions] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users namespaces] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[plans namespaces] | true
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users achievements] | false
%i[gitlab_main_clusterwide gitlab_main_cell] | %w[users agent_group_authorizations] | true
end
with_them do