WIP: Resolve "Allow global read-only user (like admin)"

What does this MR do?

• Enhances the management of Admins to offer a "Read Only" type role that allows a user full read only access to all resources.
• Removes the admin boolean from User.
• Adds a role_type enum on User that accepts Default, Admin, & Auditor
• Adds a filter in the admin interface for filtering users based on Auditor role.
• Policy changes to allow read only access to projects & related resources, and groups.
• Project and Group explore pages are expanded to show Auditors all available projects and groups.

Are there points in the code the reviewer needs to double check?

• Migrations should be double checked.
• Didn't find information about backwards compatibility requirements in the API. API may require review as changes have been made.

Why was this MR needed?

The compliance department of a customer wants to run tests against the entire GitLab base to ensure users are complying with password, credit card, and other sensitive data policies. Without giving them full admin privileges.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

• CHANGELOG entry added
• Documentation created/updated
• API support added
• Tests
  • Added for this feature/bug
  • All builds are passing
• Conform by the merge request performance guides
• Conform by the style guides
• Branch has no merge conflicts with master (if you do - rebase it please)
• Squashed related commits together

What are the relevant issue numbers?

Mentioned in merge request !6262 (closed)

Added 16 commits:

• bb2441cb...08b48b7d - 9 commits from branch gitlab-org:master
• 12b9b0db - Migrate to the role_type column
• 8129e7a0 - Give UI to change a users role_type
• d12852a9 - Update admin usage throughout the app
• 3f9e0543 - Update API for new admin assignment
• f85f5306 - Update Specs to assign admin via role enum
• 1ed1219d - Update rake tasks and seeds to new admin style
• 12ad36f8 - Add policies to allow read-only access

Marked the task CHANGELOG entry added as completed

Marked the task CHANGELOG entry added as incomplete

Marked the task Added for this feature/bug as completed

Marked the task Conform by the style guides as completed

Marked the task Branch has no merge conflicts with master (if you do - rebase it please) as completed

Marked the task API support added as completed

Marked the task Squashed related commits together as completed

Added 5 commits:

• 0eb27eb9 - Update API for new admin assignment
• c7b92e10 - Update Specs to assign admin via role enum
• 0c65529d - Update rake tasks and seeds to new admin style
• 9c16c6b3 - Add policies to allow read-only access
• 23f79265 - Increase discoverability for auditors

Marked the task Conform by the merge request performance guides as completed

Marked the task CHANGELOG entry added as completed

Added 1 commit:

• cf99f19a - Update CHANGELOG and Docs for feature

Marked the task Documentation created/updated as completed

Added 53 commits:

• cf99f19a...1038ef54 - 44 commits from branch gitlab-org:master
• f8428418 - Migrate to the role_type column
• d187f1d3 - Give UI to change a users role_type
• 43ad50e6 - Update admin usage throughout the app
• 01c25145 - Update API for new admin assignment
• 5e63c3ec - Update Specs to assign admin via role enum
• ef618286 - Update rake tasks and seeds to new admin style
• ccc4683a - Add policies to allow read-only access
• 2aaafedc - Increase discoverability for auditors
• c8bed464 - Update CHANGELOG and Docs for feature

Unmarked this merge request as a Work In Progress

Added 77 commits:

• c8bed464...b1436ccc - 68 commits from branch gitlab-org:master
• 154ff909 - Migrate to the role_type column
• 49683627 - Give UI to change a users role_type
• 8726c102 - Update admin usage throughout the app
• e82c17bd - Update API for new admin assignment
• 6bedf70f - Update Specs to assign admin via role enum
• 1507048e - Update rake tasks and seeds to new admin style
• fc957a03 - Add policies to allow read-only access
• 360724ab - Increase discoverability for auditors
• 618a3ed4 - Update CHANGELOG and Docs for feature

Could we reduce that duplication somehow?

So I thought about this a lot when I created the duplication, and more since your question.

Yes, we could reduce the duplication.

But every form I've thought to do it in I didn't consider better than having the duplication. What we gain in the extraction of commonalities, we lose in simplicity of having a single place to find what the permissions are for read_only. The way anonymous_rules works isn't quite the same as any other rule set in the policy due to it's un-natural return in the first line. It's not something that we can tier in the same way as the team rules get applied, in it's current form at least. We could tier it, but it would require additional refactoring in the way anonymous_rules are applied at the caller in BasePolicy#anonymous_abilities, which is outside the scope of this issue.

Did you have something in mind that would reduce the duplication and keep it simple?

@brianp The main thing I want to prevent is someone adding an ability to anonymous_rules, and forgetting to add it to read_only_access!, or the other way around.

What do you think about having anonymous_rules call out to read_only_access!?

I see your concern about adding some new rules in one and forgetting it in the other, I think it's completely valid. I considered that as well. But your idea still won't work. There are already differences between read_only_access and anonymous_rules which would give anonmous users access they should not have. I was also concerned about when that would happen. They would diverge it was only a matter of time, and it happened already.

It really should be tiered, anonymous_rules being brought in to read_only_access, but like I mentioned, would require additional refactoring.

     # Abilities anonymous_rules lack
     can! :read_environment
     can! :read_deployment