Skip to content

Require role "Owner" to enable "Allow anyone to pull from Package Registry" feature

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Require role "Owner" to enable "Allow anyone to pull from Package Registry" feature.

Problem to solve

We would like to improve the security of our intellectual property with regards to the "Allow anyone to pull from Package Registry" feature. The feature was introduced with: #329253 (closed) and released in 15.7

We totally see the use-case for that and appreciate that other GitLab customers find this feature beneficial and make good use of it.

However, we see the current situation critical because package registries can be made public to the internet in contradiction to project visibility. We have a private root group gitlab.com/our-root-group with SSO enforcement. Our expectation is that this guarantees some kind of control over who is able to access our resources. In general, visibility settings are usually restricted to the "Owner" role and lower levels can not have a more permissive setting that higher up levels. (When visualizing the root at the top.) Only a few people in the company are assigned "Owner" roles as we consider them to be our "Admins".

The "Allow anyone to pull from Package Registry" is the only feature we know of which breaks this assumption. Other registries, like the container registry, cannot be made public by a project Maintainer.

We as an organization want to gain back the control of who can make our resources public to the internet.

This is related to another feature request: #410139

Proposal

We suggest to limit the possibility to enable the "Allow anyone to pull from Package Registry" feature to users with the "Owner" role.

Other changes to visibility (like project and group visibility) also require the "Owner" role.

Intended users

Feature Usage Metrics

TBD.

Edited by 🤖 GitLab Bot 🤖