Pulling gitlab registry docker image from ci pipeline only works for one user
Summary
I have a project with a CI pipeline that uses a docker image in a registry from a gitlab repo in a different group and project. I have two users. User one is owner of both the pipeline repo and the docker image repo. User two is owner maintainer of both repos. However only user one can run the CI pipeline that uses the docker image.
We are running GitLab Enterprise Edition 14.0.0-pre b0610d12.
Steps to reproduce
- Login as yourself, user A
- Create a repository A in groups Z/X
- Repository A has a Dockerfile
- In CI push the Dockerfile to repo registry with Kaniko only on default branch
- Have the pipeline run
- Create a repository B in groups Z/Y
- In CI have a job that uses the image from repo A
- Run the pipel
- Create a user B
- Give user B Maintainer access to both repo A and B
- As user B try to rerun the same job that user B just ran
Example Project
What is the current bug behavior?
Using Docker executor with image registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform:0.0.2-vault1.7.1-terraform0.5.15 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform:0.0.2-vault1.7.1-terraform0.5.15 ...
WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (docker.go:147:1s)
What is the expected correct behavior?
Preparing the "docker" executor
Using Docker executor with image registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform:0.0.2-vault1.7.1-terraform0.5.15 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform:0.0.2-vault1.7.1-terraform0.5.15 ...
Using docker image sha256:c0c55a141a157ec30a6e3f78480b594c2615f39263e48a42e04193f6e895d207 for registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform:0.0.2-vault1.7.1-terraform0.5.15 with digest registry.gitlab.com/halodi/tooling/gitlab-ci-cd/dockers/vault-and-terraform@sha256:62ddd6a45f9d17b668bce9816ae8cb2b39ed8b34aa4b730eea7e5f0a5aa6d5ba ...
Preparing environment
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)