Client authentication and authorization
Proposal
Authentication and authorization is currently mostly based on static shared secrets which are passed around. Those tokens are configured by the administrator inside the respective configuration files, where each node needs to know about the tokens by their respective peers it intends to reach out to.
In some cases, we have reached the limit of what we can achieve with this simple authentication scheme. I'm thus proposing an alternative authentication scheme based on identities and certificates instead of on tokens to solve these limitations.
Instead of only having server-side certificates, we'd expand the scope to also make use of client-side certificates and have servers verify their peers based on these. In order to be able to discern different kinds of peers, the client certificates would need to encode additional metadata to identify their respective role, e.g. by adding an additional DN or OU field which carries e.g. "gitaly", "praefect" or somesuch role. The server may then establish authentication via the peers certificate and implement and authorize calls based on the role.
I've initially created the proposal as an RFC in the Gitaly project, but by request I'm broadening the scope to all of GitLab in the hope of finding a common solution for all components. Please read the linked RFC for further details on the scoper, current limitations and proposal.