Remove privileged feature flag and permission

now that we have user-namespaced workspaces the privileged flag
has become even more of a nuisance and technical debt.

Fixes #3058

Author: Christian Weichel

components/gitpod-db/src/typeorm/entity/db-user.ts

@@ -60,11 +60,6 @@ export class DBUser implements User {
     })
     blocked?: boolean;
 
-    @Column({
-        default: false
-    })
-    privileged?: boolean;
-
     @Column({
         type: 'simple-json',
         nullable: true

components/gitpod-protocol/go/gitpod-config-types.go

@@ -40,9 +40,6 @@ export namespace Permission {
     /** The permission for actions like block user, stop workspace, etc. */
     export const ENFORCEMENT: PermissionName = "enforcement";
 
-    /** The permission to start privileged workspaces */
-    export const PRIVILEGED_WORKSPACE: PermissionName = "privileged-ws";
-
     /** The permission for registry access (start workspaces referencing gitpod-internal Docker images) */
     export const REGISTRY_ACCESS: PermissionName = "registry-access";
 
@@ -77,7 +74,6 @@ export namespace Role {
         permissions: [
             Permission.MONITOR,
             Permission.ENFORCEMENT,
-            Permission.PRIVILEGED_WORKSPACE,
             Permission.REGISTRY_ACCESS,
             Permission.IDE_SETTINGS
         ]
@@ -89,7 +85,6 @@ export namespace Role {
         permissions: [
             Permission.MONITOR,
             Permission.REGISTRY_ACCESS,
-            Permission.PRIVILEGED_WORKSPACE,
         ]
     };
 

components/gitpod-protocol/src/permission.ts

@@ -35,11 +35,6 @@ export interface User {
      */
     blocked?: boolean;
 
-    /**
-     * whether this user can run workspaces in privileged mode
-     */
-    privileged?: boolean;
-
     /** A map of random settings that alter the behaviour of Gitpod on a per-user basis */
     featureFlags?: UserFeatureSettings;
 
@@ -151,7 +146,7 @@ export interface UserFeatureSettings {
  * The values of this type MUST MATCH enum values in WorkspaceFeatureFlag from ws-manager/client/core_pb.d.ts
  * If they don't we'll break things during workspace startup.
  */
-export const WorkspaceFeatureFlags = { "privileged": undefined, "registry_facade": undefined, "full_workspace_backup": undefined, "fixed_resources": undefined, "user_namespace": undefined };
+export const WorkspaceFeatureFlags = { "registry_facade": undefined, "full_workspace_backup": undefined, "fixed_resources": undefined, "user_namespace": undefined };
 export type NamedWorkspaceFeatureFlag = keyof (typeof WorkspaceFeatureFlags);
 
 export interface UserEnvVarValue {

components/gitpod-protocol/src/protocol.ts

@@ -23,7 +23,6 @@ export class PermissionSpec {
 
         expect(cut.hasPermission(userViewer, Permission.MONITOR)).to.be.true;
         expect(cut.hasPermission(userViewer, Permission.REGISTRY_ACCESS)).to.be.true;
-        expect(cut.hasPermission(userViewer, Permission.PRIVILEGED_WORKSPACE)).to.be.true;
         expect(cut.hasPermission(userViewer, Permission.ENFORCEMENT)).to.be.false;
     }
 
@@ -36,7 +35,6 @@ export class PermissionSpec {
 
         expect(cut.hasPermission(userDev, Permission.MONITOR)).to.be.true;
         expect(cut.hasPermission(userDev, Permission.REGISTRY_ACCESS)).to.be.true;
-        expect(cut.hasPermission(userDev, Permission.PRIVILEGED_WORKSPACE)).to.be.true;
         expect(cut.hasPermission(userDev, Permission.ENFORCEMENT)).to.be.true;
     }
 }

components/server/src/user/authorization-service.spec.ts

@@ -15,7 +15,7 @@ import { ErrorCodes as RPCErrorCodes, MessageConnection, ResponseError } from "v
 import { AllAccessFunctionGuard, FunctionAccessGuard, WithFunctionAccessGuard } from "./auth/function-access";
 import { RateLimiter, UserRateLimiter } from "./auth/rate-limiter";
 import { CompositeResourceAccessGuard, OwnerResourceGuard, ResourceAccessGuard, SharedWorkspaceAccessGuard, WithResourceAccessGuard } from "./auth/resource-access";
-import { increaseApiCallCounter, increaseApiConnectionClosedCounter, increaseApiConnectionCounter, increaseApiCallUserCounter } from "./prometheusMetrics";
+import { increaseApiCallCounter, increaseApiConnectionClosedCounter, increaseApiConnectionCounter, increaseApiCallUserCounter } from "./prometheus-metrics";
 import { GitpodServerImpl } from "./workspace/gitpod-server-impl";
 
 export type GitpodServiceFactory<C extends GitpodClient, S extends GitpodServer> = () => GitpodServerImpl<C, S>;

components/server/src/websocket-connection-manager.ts

@@ -246,11 +246,7 @@ export class WorkspaceStarter {
         if (user.featureFlags && user.featureFlags.permanentWSFeatureFlags) {
             featureFlags = featureFlags.concat(featureFlags, user.featureFlags.permanentWSFeatureFlags);
         }
-        // privileged are special cases which require the privileged-ws permission
-        if (!this.authService.hasPermission(user, "privileged-ws")) {
-            featureFlags = featureFlags.filter(f => f != "privileged");
-        }
-
+        
         // if the user has feature preview enabled, we need to add the respective feature flags.
         // Beware: all feature flags we add here are not workspace-persistent feature flags, e.g. no full-workspace backup.
         if (!!user.additionalData?.featurePreview) {

components/server/src/workspace/workspace-starter.ts

@@ -421,8 +421,9 @@ enum WorkspaceFeatureFlag {
     // NOOP feature flag is just here because I don't want privileged to be 0
     NOOP = 0;
 
-    // Privileged workspaces allow users to become root
-    PRIVILEGED = 1;
+    // Privileged workspaces allowed users to become root by making them root on the machine.
+    // They've been the precursor to user-namespaced workspaces.
+    reserved 1;
 
     // Was used for appplitools-specific workspace config (e.g., proxy + network restriction)
     // APPLITOOLS = 2;