Support creating a PAT with another PAT for the same user with limited scope
There is a REST API endpoint to create a new Personal Access Token. However, it's limited to the instance Administrators. Why is that?
Is there a possibility to open up this restriction and allow the API to create PATs when authenticating the request with another PAT of the same user? This could be limited to only allowing to create PATs that don't have the api
scope.
I could have used this for many things in the past (pre GitLab work), but my concrete use case now is to create a PAT with only the new k8s_proxy
scope which then can be used to access GitLab Agent for Kubernetes clusters.
So, why do I need to create a new PAT with the API for that? The reason is that we can then provide a CLI command to get a k8s_proxy
-scoped PAT from an already authenticated glab
.
So, this would allow the following UX:
- Update the kube config to access an agents cluster:
glab cluster agent update-kubeconfig --agent 123
which would roughly translate to a kube config like this:
apiVersion: v1
kind: Config
clusters:
- cluster:
server: https://kas.gitlab.com/k8s-proxy
name: gitlab
contexts:
- context:
cluster: gitlab
user: gitlab-user
name: gitlab-agent
current-context: gitlab-agent
preferences: {}
users:
- name: gitlab-user
user:
exec:
apiVersion: "client.authentication.k8s.io/v1"
command: "glab"
args:
- cluster
- agent
- get-token
- --agent
- 1234
interactiveMode: IfAvailable
- Use whatever
kubectl
command to access the cluster without having to authenticate and without having tokens in the kube config
This would work, because of the glab cluster agent get-token --agent 1234
call that would return a short-lived k8s_proxy
-scoped PAT that was dynamically created by the already authenticated glab
.
Availability & Testing
Add tests to:
- Ensure the endpoint cannot be used to create a PAT with
api
scope. - Ensure the endpoint must be authenticated and so a PAT can only be created for the authenticated user.