MR approval option "Require user password to approve" should ask for MFA
Summary
It is possible to configure authentication to Gitlab so that users don't have a password, yet are required to enter a value in order to authenticate. i.e. use Kerberos authentication + multi-factor authentication.
I have a Gitlab (premium, if it matter) instance configured this way, and attempted to set up merge request approval rules with the "Require user password to approve" checkbox ticked. With that in place, users are prompted to enter a password that they don't have, and thus can't approve MRs. Though the option literally says "user password", I had assumed that was merely poor wording, and that what it actually required would be for the user to re-authenticate. I'm hoping this is a simple bug fix, but it may be a missing feature instead.
Steps to reproduce
- Configure a Gitlab instance with Kerberos authentication and multi-factor authentication
- Create a repository, then under Settings->General->Merge request approvals, tick the "Require user password to approve" checkbox.
- Create a merge request within that repository
- Attempt to approve the merge request
Example Project
I don't have a plan on GitLab.com that allows me to configure this.
What is the current bug behavior?
User is prompted for a password
What is the expected correct behavior?
User is prompted to re-authenticate, in whichever way is appropriate for that user and the authentication methods configured in that Gitlab instance. In my case, I expected to be prompted for a MFA code (the Kerberos authentication happens automatically through the " Authorization: Negotiate" headers the browser sends).
Relevant logs and/or screenshots
none
Output of checks
?
Results of GitLab environment info
I don't have admin access to the GitLab environment, so I can't run the sudo... commands, but the help page says:
GitLab Enterprise Edition 12.10.7-ee