Change default of `restrict_user_defined_variables` to `true` (public issue)

Release notes

GitLab believes in secure-by-default practices. To honour this, we are making some changes to support least privilege principles across the way environment variables work. Today, user permission restrictions defaults are set to false, which means that users with the developer role or higher are able to pass pipeline variables without any verification or opt-in. In 18.0, GitLab is updating the restrict_user_defined_variables default to true. As a result of this change, your project environment variables will be less permissive by default, and require a manual update to change the user permissions that can pass variables.

To enable a more secure-by-default experience for passing pipeline variables, the setting can be opted-in to before 18.0 starting in 17.7. For more information on how to update this setting see our documentation.

Problem

Today restrict_user_defined_variables is set to false by default, meaning that all developers are allowed to pass pipeline variables when creating pipelines. This default setting violates the least privilege principle.

Proposal

Introduce a group-level setting pipeline_variables_default_role with default value :developer that controls the project-level setting pipeline_variables_minimum_override_role when new projects in that group are created. The project-level setting inherits the default value from the group-level pipelien_variables_default_role.

• Before 18.0
  • On Self-Managed and Dedicated: No practical changes. New namespaces get the default pipeline_variables_default_role: :developer which gets applied to new projects. This is to maintain backwards compatibility.
  • On Gitlab.com: We will change the default value of pipeline_variables_default_role: :no_one_allowed for newly created top-level groups. This means that new projects in those groups will get pipeline_variables_minimum_override_role: :no_one_allowed as secure default. Project owners or group maintainers can opt-out.
• At 18.0
  • All GitLab installations will get the default pipeline_variables_default_role: :no_one_allowed on all namespaces, meaning that new projects (anywhere they are created) will get more secure defaults.