(Rails) Support Personal Access Token (PAT) authentication with `user_access`
Description
This issue is to implement Personal Access Token authentication with user_access keyword. This is useful to support agent access from the local terminal. See Design: Provide a user-based kubeconfig using t... (#331431) for more information.
It's also possible to use Project access tokens as it's basically service account + PAT.
Since glab uses PAT for authentication, we can easily generate KUBECONFIG for Design: Provide a user-based kubeconfig using t... (#331431).
A few notes:
- We've already implemented Browser cookie on GitLab frontend.
Implementation Guide
See full comment here: #409028 (comment 1487010922)
- Implement new
k8s_proxyscope for PATs- *Awaiting input from
@dblessing, see #409028 (comment 1488081442) *
- *Awaiting input from
- We need to extend the internal Kubernetes API endpoint at
/kubernetes/authorize_proxy_userwith a newaccess_typethat isaccess_token. The current implementation always expects theaccess_typeto besession_cookie. - The only difference to the current implementation is how to get an authorized user from the provided access token.
- For finding the user we should be able to use something like
find_user_from_access_token - We also want to make sure that the provided token ONLY has the new
k8s_proxyscope - The actual authorization for the agent is done in the Agent finder.
- For finding the user we should be able to use something like
KAS Implementation Issue is here: Support Personal Access Token (PAT) authenticat... (gitlab-org/cluster-integration/gitlab-agent#439 - closed)
Edited by Timo Furrer