Container registry access for external guest
Summary
Allowing external guest account to pull docker images from the registry does not work.
Usecase: 3:rd party is hosting the applications in their own cloud. The application source code is not accessible but the 3:rd party need to download docker images from the registry with an authenticated account.
Steps to reproduce
- Use a project with registry enabled
- Have at least one container avalible in the registry for the project
- Set project visibility to "Internal"
- Set registry visibility to "Everyone with access"
- Add an account with account type "external"
- Add the account to the project as guest
- Log in with guest account and try to access registry
- No acces
What is the current bug behavior?
Unable to access the repositories container registry with an external Guest account when project is set to internal and visibility "Everyone with Access".
What is the expected correct behavior?
Guest user account should be allowed to browse the container registry, authenticate and pull images even when they are external.
The documentation hints to this being possible, but does not have any special information for "External" accounts.
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
iSystem information System: Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.6 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.7 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.6.0 Revision: 7f1a7c62df9 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.12 URL: https://retracted.tld HTTP Clone URL: https://retracted.tld/some-group/some-project.git SSH Clone URL: git@retracted.tld:some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.13.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.13.0 ? ... OK (14.13.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 5/1 ... yes 4/2 ... yes 3/3 ... yes 4/4 ... yes 4/5 ... yes 7/6 ... yes 5/7 ... yes 4/8 ... yes 7/9 ... yes 7/10 ... yes 27/11 ... yes 10/12 ... yes 10/13 ... yes 8/14 ... yes 10/15 ... yes 27/16 ... yes 8/17 ... yes 6/19 ... yes 8/20 ... yes 7/21 ... yes 10/24 ... yes 27/25 ... yes 15/26 ... yes 2/27 ... yes 7/28 ... yes 7/29 ... yes 5/31 ... yes 7/32 ... yes 7/33 ... yes 7/34 ... yes 7/35 ... yes 8/36 ... yes 11/37 ... yes 5/38 ... yes 7/40 ... yes 7/41 ... yes 4/42 ... yes 20/46 ... yes 5/47 ... yes 7/48 ... yes 20/49 ... yes 4/50 ... yes 11/51 ... yes 11/52 ... yes 22/53 ... yes 8/54 ... yes 4/55 ... yes 23/56 ... yes 6/57 ... yes 5/58 ... yes 26/59 ... yes 8/60 ... yes 7/61 ... yes 8/62 ... yes 27/63 ... yes 27/64 ... yes 6/66 ... yes 11/71 ... yes 11/72 ... yes 11/73 ... yes 11/74 ... yes 11/75 ... yes 4/77 ... yes 4/78 ... yes 22/79 ... yes 4/81 ... yes 1/82 ... yes 27/83 ... yes 4/84 ... yes 4/85 ... yes 27/86 ... yes 27/87 ... yes 8/88 ... yes 26/90 ... yes 44/91 ... yes 44/92 ... yes 1/93 ... yes 22/94 ... yes 22/95 ... yes 44/96 ... yes 6/97 ... yes 2/98 ... yes 48/100 ... yes 27/101 ... yes 6/102 ... yes 8/103 ... yes 8/105 ... yes 6/106 ... yes 40/107 ... yes 40/108 ... yes 6/109 ... yes 1/110 ... yes 48/112 ... yes 4/113 ... yes 6/114 ... yes 6/115 ... yes 40/116 ... yes 40/117 ... yes 7/119 ... yes 26/123 ... yes 40/124 ... yes 27/125 ... yes 5/126 ... yes 51/128 ... yes 53/130 ... yes 53/131 ... yes 53/132 ... yes 53/133 ... yes 53/134 ... yes 53/135 ... yes 53/136 ... yes 53/137 ... yes 26/138 ... yes 54/139 ... yes 7/140 ... yes 53/141 ... yes 8/142 ... yes 53/143 ... yes 7/144 ... yes 8/146 ... yes 55/147 ... yes 56/148 ... yes 56/149 ... yes 4/150 ... yes 53/151 ... yes 40/152 ... yes 27/153 ... yes 1/154 ... yes 53/155 ... yes 51/156 ... yes 10/157 ... yes 1/158 ... yes 6/159 ... yes 5/160 ... yes 4/163 ... yes 22/164 ... yes 55/165 ... yes 56/166 ... yes 6/167 ... yes 7/168 ... yes 4/169 ... yes 4/170 ... yes 53/171 ... yes 53/172 ... yes 22/173 ... yes 53/174 ... yes 8/175 ... yes 69/176 ... yes 27/177 ... yes 10/179 ... yes 7/180 ... yes 4/181 ... yes 73/182 ... yes 73/183 ... yes 73/184 ... yes 73/185 ... yes 74/186 ... yes 74/187 ... yes 74/188 ... yes 73/189 ... yes 4/190 ... yes 73/191 ... yes 27/192 ... yes 20/193 ... yes 20/194 ... yes 55/195 ... yes 8/196 ... yes 8/197 ... yes 78/198 ... yes 2/199 ... yes 70/200 ... yes 20/201 ... yes 2/202 ... yes 27/203 ... yes 27/204 ... yes 260/205 ... yes 260/206 ... yes 260/207 ... yes 265/208 ... yes 260/209 ... yes 269/210 ... yes 266/211 ... yes 260/212 ... yes 266/213 ... yes 274/214 ... yes 27/215 ... yes 26/216 ... yes 278/217 ... yes 278/218 ... yes 266/219 ... yes 266/221 ... yes 266/222 ... yes 266/223 ... yes 4/224 ... yes 266/225 ... yes 266/226 ... yes 266/227 ... yes 290/229 ... yes 290/230 ... yes 294/231 ... yes 4/232 ... yes 290/233 ... yes 290/234 ... yes 6/235 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 21 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
N/A