Log message when requested/granted permissions don't match on container registry auth tokens

Context

To authentication against the GitLab Container Registry, a client must first obtain a JWT token from GitLab Rails. The request sent to Rails includes the target repository as well as the requested permission (push, pull or delete). Once obtained by the client, the token is embedded into all requests sent to the Container Registry.

In turn, the registry validates the token embedded in each request, ensuring that the required permissions for each operation (taking into account the target repository and HTTP method) are present.

For more details see https://docs.docker.com/registry/spec/auth/token/. The same method applies. GitLab Rails performs the role of auth realm.

Problem

1. If a user requests pull and push permissions to a given repository in the project A, but it only has read permissions on project A, Rails will issue a token with only pull permissions. Subsequent POST/PUT/PATCH/DELETE requests against the registry are therefore expected to fail;

2. If the registry identifies that a given token does not have the required permission scope (e.g. if the request is a PUT but the token only has pull permissions), an error authorizing context: insufficient scope log entry will be emitted. However, this log entry does not identify the mismatch between granted vs required permissions.

Solution

To facilitate the debugging of auth related issues like #23644 (closed), we should:

1. Rails: Log warn message on the auth service every time an emitted registry JWT token does not include all the permission scopes requested by the client. This message should include a key/value pair for the requested vs. granted scopes;

2. Registry: Include key/value pair for granted vs. required permission scopes in the error authorizing context: insufficient scope log entry.