Add authentication support for dependency proxy for containers
Problem to solve
We introduced the dependency proxy for containers with #7934 (closed). The MVC feature is only enabled for public projects because the caching proxy does not yet support authentication. In order to make it available to all projects, we need to add authentication in order to avoid a potential DDoS where someone is making unauthorized requests against a private proxy.
Add authentication for private projects, based on appropriate credentials for that project.
- When user executes
docker pullcommand it will make a request to GitLab Dependency proxy URL.
- When the request hits
DependencyProxyForContainersControllerfor private group we return 401. With
WWW-Authenticateheader realm pointing toward some
- This will make docker client send a request to provided
authroute with username and password (or PAT).
- We check user/password combination and return OAuth2 token if OK.
- This will make docker client send a repeating request to
DependencyProxyForContainersControllerbut now with OAuth2 token added to header. We use OAuth2 token for to set
current_uservariable and check for access to private group. Then we proceed with the request like we do for a public group.
Permissions and Security
- The proxy will require authentication to avoid utilization of bandwidth or storage resources by an unauthorized user in a denial-of-service scenario, in particular for gitlab.com where everything is publicly routable. This could be achieved through asking the proxy to fetch remote resources until the storage is full.
- The feature belongs at the group level, but complicates authentication because a group can contain a mix of public and private projects, with different permissions. One straightforward option here is to allow usage of a project token from any project that is a member of the group to authenticate.
We will update the Dependency Proxy Documentation to include details about authentication.
- Test authentication for private projects, groups and sub-groups
- Test private projects that haven't authenticated
What does success look like, and how can we measure that?
Success looks like we have made the dependency proxy available for private and public projects.
We do not currently have the ability to track this data, however gitlab-ce#61583 will help us to start tracking and measuring this data so we can make better predictions about usage and adoption.
What is the type of buyer?
For now, the dependency proxy is focused on premium and ultimate customers.
In order to expand to additional buyer types we need to improve performance and support Unicorn. This issue details those efforts: #11548