Gitlab users API does not return user email for non-admin Ghostflow user
In testing ghostflow-director
for a project on CERN's Gitlab (11.0.5) instance, I've set up the director to use my account as the "robot user". I'm not an admin on the Gitlab instance (and neither will the eventual service account for the bot), and this lack of admin permissions seems to be the cause of runtime errors. The calls to the Gitlab API to obtain user info always use gitlab.user<gitlab::UserPublic>(id)
, e.g. (https://gitlab.kitware.com/utils/rust-ghostflow/blob/master/src/host/gitlab/src/lib.rs#L270).
If the user account used to read/write the API doesn't have admin permissions, the call to the users API only returns a more basic set of info (gitlab::UserBasic
?). For example:
INFO 2018-08-16T17:10:27Z: webhook_listen::config: matched an event of kind gitlab:note
DEBUG 2018-08-16T17:10:27Z: webhook_listen::config: writing an event of kind gitlab:note to /opt/ghostflow/var/geant4-ghostflow/2018-08-16T17:10:27.892923367+00:00-9b113sWfODfu.json
DEBUG 2018-08-16T17:10:27Z: gitlab::gitlab: api call users/1514
DEBUG 2018-08-16T17:10:27Z: gitlab::gitlab: received data: Object({"avatar_url": Null, "bio": Null, "created_at": String("2015-09-30T15:34:55.810+02:00"), "id": Number(1514), "linkedin": String(""), "location": Null, "name": String("Benjamin Morgan"), "organization": Null, "skype": String(""), "state": String("active"), "twitter": String(""), "username": String("bmorgan"), "web_url": String("https://gitlab.cern.ch/bmorgan "), "website_url": String("")})
I also tried adding a public email to my profile, but even then this doesn't seem to be exposed by the user api (https://docs.gitlab.com/ee/api/users.html#single-user). It's possible this is an artifact of CERN's configuration or that we're running ghostflow in Docker/Openshift, though the API docs appear to indicate there's no way to get a user's email through the API (or via info in webhook payloads) unless the API user has Gitlab admin permissions.
I've been able to work around this for CERN's instance by replacing use of gitlab::UserPublic
with gitlab::UserBasic
and constructing the needed email
field from the username
. This does result in a minimal working Ghostflow, at least for Do:
commands by my account.
This may be less an issue than documentation/scope of use, but it would be useful if ghostflow could be run as a non-admin level user (albeit at the cost of some of its admin level features like webhook/member addition). The only idea I have here is for all Git operations to use the Ghostflow account (whose details we can get), and mark stage/merge commits as "on behalf of <whoever ran Do: X, who has the requisite permissions for X>".