CI Pipelines fail for API commits using Project Access Token
Summary
A commit via API using an Project Access Token will lead to total failure of the CI pipeline.
The pipeline will work for the same API call using Personal Access Token
Steps to reproduce
- Have a repository with a simple pipeline
- Create an API call committing a change to that repository using a Project Access Token
Example script: https://gitlab.com/eblom/testapibug/-/blob/master/gitlab_api_commit_test.py This expects one parameter, the TOKEN.
If this TOKEN is a Project Access Token the script works, but the pipeline triggered by the commit fails.
If the TOKEN is a Personal Access Token also the pipeline works
Example Project
A minimal working example can be found here: https://gitlab.com/eblom/testapibug/
But since I don't have access to Project Access Tokens I can only demonstrate the working version by using a personal access token ( https://gitlab.com/eblom/testapibug/-/pipelines/187263986 )
What is the current bug behavior?
Commits created by API call using a Project Access Token lead to "HTTP Basic: Access denied" issues in the CI pipeline for every job of the pipeline
What is the expected correct behavior?
A Project Access Token should allow the same behavior as a Personal Access Token?
Relevant logs
This is a copy of a internal log (with some redactions).
Running with gitlab-runner 13.2.2 (a998cacd)
on Docker runner for GROUP XraKdDsD
Preparing the "docker" executor
Using Docker executor with image python:latest ...
Pulling docker image python:latest ...
Using docker image sha256:a7cda474cef4f5cbc00c8f72b1a1eda717c425fa3994fb90997b0216fc21598c for python:latest ...
Preparing environment
Running on runner-xrakddsd-project-586-concurrent-0 via 61d6efd6d430...
Getting source from Git repository
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/GROUP/PROJECT/.git/
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://SERVER/GROUP/PROJECT.git/'
ERROR: Job failed: exit code 1Results of GitLab environment info
Gitlab CE 13.3.5 gitlab-runner 13.2.2 using Docker Runner
Workaround
A possible workaround for us is using a private access token stored in the variable
Designs
Relates to
- #259663Next 1-3 releases
Activity
mentioned in issue gitlab-org/quality/triage-reports#377 (closed)
mentioned in issue gitlab-org/quality/triage-reports#378 (closed)
mentioned in issue gitlab-org/quality/triage-reports#379 (closed)
added sectiondev label
mentioned in issue #249039 (closed)
mentioned in issue #254141 (closed)
We face a similar issue. We're using dependabot to create merge requests. The pipelines of those merge requests fail:
Running with gitlab-runner 13.3.1 (738bbe5a) on asdf on gce runner Yo_asV9p Preparing the "shell" executor Using Shell executor... Preparing environment Running on ufg-gitlab-runner-asdf-20200921a... Getting source from Git repository Fetching changes... Reinitialized existing Git repository in /mnt/disks/local/builds/Yo_asV9p/0/sbg/sbg-fe/.git/ remote: HTTP Basic: Access denied fatal: Authentication failed for 'https://gitlab-ci-token:[MASKED]@gitlab.ufirstgroup.com/sbg/sbg-fe.git/'mentioned in issue #257766 (closed)
please have a look at #219551 (closed). I experienced the same problem with 13.3.x but after upgrading to 13.4.x, the pulling of the code in the job was successful. However, I discovered two further problems that may or may not affect you:
- #259663 (closed) It seems that build jobs are still failing when your build job is based on Docker images from Gitlab's container registry. If you are using images from hub.docker.com, you should be fine.
- #259665 (closed) If your build job is assigned to a runner / executor, where a previous build job has already fetched an older version of the repository, then the fetching of updates for that repository fails. However, if your job is doing a completely fresh fetch / clone, you should again be fine.
@mruoss I'm working on exactly the same scenario, of using project access tokens together with Dependabot.
Hi @klaasdellschaft,
we haven't updated to 13.4 as of yet, but reading your description we would immediately encounter #259663 (closed), since most of our jobs are based on docker images hosted in our own container registry. So we will probably continue avoiding using project access token in favour of a personal access token stored in a group variable for now
mentioned in issue #261974 (closed)
marked #259663 (closed) as a duplicate of this issue
marked this issue as related to #259663 (closed)
mentioned in issue #259663 (closed)
mentioned in issue gitlab-org/quality/triage-reports#468 (closed)
I've made a simple patch to resolve our simple use case.
How simple is our case ?
It's a single project and single job in a single pipeline, the job invokes a simple bash to deploy the code.
No container registry thing , no packages registry thing.
Show me your patch.
the patch is against version 13.4.3-ee (fd96f779), the original file can be found online here, and at
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth.rbon your local disk.--- auth-original.rb 2020-10-14 06:00:00.000000000 +0000 +++ auth-patched.rb 2020-10-14 06:00:00.000000000 +0000 @@ -47,7 +47,7 @@ # is enabled. result = service_request_check(login, password, project) || - build_access_token_check(login, password) || + build_access_token_check(login, password, project) || lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || personal_access_token_check(password, project) || @@ -276,16 +276,17 @@ end end - def build_access_token_check(login, password) + def build_access_token_check(login, password, project) return unless login == CI_JOB_USER return unless password build = find_build_by_token(password) return unless build return unless build.project.builds_enabled? + return if project && build.user.project_bot? && !project.bots.include?(build.user) if build.user - return unless build.user.can?(:log_in) + return unless build.user.project_bot? || build.user.can?(:log_in) # If user is assigned to build, use restricted credentials of user Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)Why you SHOULD NOT use it (aka. KNOWN ISSUES).
In my opinion, this is a super super complex issue.
As far as I know, according to some of the documentation(I didn't read all the docs):
- in pipelines, the
git submodulemay use the access token to update - multi-project pipelines may use the access token to
triggerpipelines in another project
But, the
project access tokenis bind to a
And the patch above, surely doesn't have the ability to resolve those issues.
Plus, I've never wrote any Ruby code before, I'm not confident about it. But it indeed resolved the problem we were facing.
How does the patch work ?
The original problem is caused by
return unless build.user.can?(:log_in).
Since the bot user can not login, so the API always returns 401.In the patch, I'm checking the given token is bind to a bot user, and the bot is bind to the corresponding project which is running this particular job.
If all those conditions are true, then no more 401 will be responded.Edited by Axe Bennet- in pipelines, the
mentioned in issue gitlab-org/quality/triage-reports#526 (closed)
mentioned in issue gitlab-org/quality/triage-reports#604 (closed)
mentioned in issue gitlab-org/quality/triage-reports#662 (closed)
mentioned in issue gitlab-org/quality/triage-reports#670 (closed)
mentioned in issue gitlab-org/quality/triage-reports#703 (closed)
Yeah agreed! Assuming this was going to be possible (per descriptions on different tickets), we spent a lot of time building stuff using personal access tokens. Now that project access token is released we wanted to use it, but can't. Now we are stuck with either using my personal token, or waiting (what seems like forever) to see some progress on this ticket and #259663 (closed), but this issue is not even on backlog; so I guess we'll just wait.
@mushakov Dirk is facing HTTP basic :Access denied error while using project access token for gitlab-runner.He is a Gitlab EE ultimate customer & here's the internal link for the ticket(https://gitlab.zendesk.com/agent/tickets/179015). Any workaround or fix updates on the issue will be helpful.
added customer label
mentioned in issue gitlab-org/quality/triage-reports#791 (closed)
mentioned in issue gitlab-org/quality/triage-reports#875 (closed)
mentioned in issue gitlab-org/quality/triage-reports#974 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1051 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1105 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1198 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1273 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1369 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1436 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1527 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1600 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1689 (closed)
@serenafang Can you take a look at this issue and let me know if it has been addressed by one of your other fixes?
@mushakov The patch above looks pretty identical to my backported fix: !50800 (merged), so I think it's been addressed by !50800 (merged).
-
Thanks for confirming @serenafang
-
This issue was addressed by !50800 (merged). Please re-open the issue or leave a comment if you are still facing problems!
mentioned in issue gitlab-runner#2300
