Respect partition prefix for runner tokens
Status as of 2025-03-04
This is solved by gitlab-org/cells/http-router!542 (merged)
We're still discussing about the future plans though: #258 (comment 2376444164)
Problem
We don't recognize the latest runner token in config/ruleset/session_token.json
Why
We expected the runner token is prefixed with glrt-: #70 (closed)
However it's also prefixed with the "partition prefix" t{1,2,3}_: gitlab-org/gitlab!168017 (merged)
We can see that when we try to update runner token to be routable: gitlab-org/gitlab!170634 (merged)
What kinds of runner tokens are there?
It seems that there are a few different types of runner tokens:
- (deprecated) Runner registration token (looks like
GRXX_XX)- This token is not routable, which can only work in legacy cell
- This token is used to register a new runner
- (deprecated) Runner token from a runner registered via a registration token
- This token doesn't have
glrt-prefix. - It can have a partition prefix
t{1,2,3}_if it's generated after gitlab-org/gitlab!168017 (merged) (it looks liket3_XXXorXXX)- This token is not routable either way because we haven't made runner tokens routable at this point yet
- After we enable feature flag
routable_runner_tokento generate routable runner token, it must be after the partition prefix, so it will have partition prefixt{1,2,3}_(it looks liket3_XXXX.XX)- This token is routable, but given the current rules, it'll be treated like a personal access token! Because it's interpreted that
t3_is the personal access token prefix.
- This token is routable, but given the current rules, it'll be treated like a personal access token! Because it's interpreted that
- This token doesn't have
- Standard runner token (looks like
glrt-t3_XXXwhen not routable andglrt-t3_XXXX.XXwhen routable)- This token has 2 prefixes:
glrt-andt{1,2,3}_ - This token can be routable if we enable feature flag
routable_runner_token
- This token has 2 prefixes:
A short breakdown:
- (not routable) Registration token
GRXX_XX - (not routable) Older runner token
XXX - (not routable) Old runner token
t3_XXX - (not routable) Standard runner token
glrt-t3_XXX - (routable) Old runner token
t3_XXXX.XX - (routable) Standard runner token
glrt-t3_XXXX.XX
This means we have to take into account that:
-
glrt-might not be always there - It must have
t{1,2,3}_prefix!
Proposed change
diff --git a/config/ruleset/session_token.json b/config/ruleset/session_token.json
index 8dd612c..0fa5a70 100644
--- a/config/ruleset/session_token.json
+++ b/config/ruleset/session_token.json
@@ -63,7 +63,7 @@
"match": {
"type": "header",
"name": "private-token",
- "regex_value": "^glrt-(?<payload>[0-9A-Za-z_-]{27,300})\\.(?<payload_length>[0-9a-z]{2})[0-9a-z]{7}$"
+ "regex_value": "^(glrt-)?t\\d+_(?<payload>[0-9A-Za-z_-]{27,300})\\.(?<payload_length>[0-9a-z]{2})[0-9a-z]{7}$"
},
"transform": {
"type": "routable-token-payload",References
- This was discovered when we're trying to record a demo for running CI jobs in another cell: gitlab-org&15281 (comment 2367766834)
Edited by Lin Jen-Shin