Skip to content

Admin (non-project member) cannot pull image when Admin Mode is enabled and turned on

Summary

Admin user (non-project member) cannot pull container image when Admin Mode is enabled and turned on in version 15.11.8.

When Admin Mode is disabled: Logout of container registry, log back in, admin (non-project member) can pull image again.

Steps to reproduce

Enable and turn on admin mode

  1. Enable Admin Mode
  2. Turn on Admin Mode

Set up container registry and push an image to the container

  1. As a root user, create a personal access token with read/write access to registry
  2. Create a new project
  3. In the local terminal, run the following steps:
docker pull ubuntu:22.04
docker tag ubuntu:22.04 <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test

# Check the image is now present 
docker images 

# Login to registry and enter PAT as password
docker login <INSTANCE_URL>:5050 -u root 

# Push the image to the registry
docker push <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test

# Remove the image from the local terminal 
docker rmi -f <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test

# Check the image is no longer present
docker images 

# Logout of the registry
docker logout <INSTANCE_URL>:5050

Attempt to pull an image as another admin user

  1. Create a new admin user (e.g. test_admin), ensure that it is not a member of the project
  2. Impersonate test_admin
  3. Ensure admin mode is turned on
  4. Create a personal access token (with read/write access for registry) for test_admin
  5. Run the following commands in the local terminal
# Login to registry and enter the PAT as password
docker login <INSTANCE_URL>:5050 -u test_admin

# Pull the image 
docker pull <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test

You should get this error:

Error response from daemon: pull access denied for <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Test if Admin Mode is the issue

  1. Stop impersonation of test_admin
  2. As the root user, add test_admin to the project as a Developer
  3. Impersonate test_admin again
  4. Perform the following steps in the local terminal:
# Logout of the registry
docker logout <INSTANCE_URL>:5050

# Login to registry and enter the PAT as password
docker login <INSTANCE_URL>:5050 -u test_admin

# Pull the image 
docker pull <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test

# You should successfully pull the image, to verify
docker images

What is the current bug behavior?

Admin cannot pull container image using PAT when Admin Mode is enabled and turned on.

What is the expected correct behavior?

Admin can pull container image using PAT when Admin Mode is enabled and turned on.

Relevant logs and/or screenshots

The error message can differ depending on the type of interface used.

For Docker

docker pull <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab:test
Error response from daemon: pull access denied for <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntugitlab, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

For nerdctl

• ~ nerdctl pull registry.xxx.com/images
registry.xxx.com/images:latest: resolving elapsed: 3.0 s
total:
0.0 B (0.0 B/s)
INFO[0003] trying next host
error-"pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed" host-registry.xxx.com
FATA [0003] failed to resolve reference "registry.xxx.com/images:latest": pull access denied repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

For Podman

$ podman pull <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntu:20.04
Trying to pull <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntu:20.04...
Error: initializing source docker://<INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntu:20.04: reading manifest 20.04 in <INSTANCE_URL>:5050/<PROJECT_PATH>/ubuntu: requested access to the resource is denied

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Workaround

Have non-admin users with auditor role and above to pull container image.

Possible fixes

Edited by Daphne Kua