Dependency proxy can be accessed with PATs that don't have the scopes read_registry
and write_registry
.
GitLab customers with an active subscriptions can reach out to GitLab Support when encountering unexpected problems with this change.
Deprecation Summary
The Dependency Proxy currently does not enforce access token scope restrictions during authentication. Users can access the Dependency Proxy using personal access tokens (PAT) or group access tokens without the required read_registry
and write_registry
scopes. This behavior will be changed to enforce proper scope checking.
Documentation
- Deprecation notice: #426887
- Migration guidelines:
Product Usage
The current documentation incorrectly states that users need a personal access token with read_registry
and write_registry
scopes to authenticate with the Dependency Proxy. However, users can currently authenticate and use the Dependency Proxy without these scopes, as demonstrated by successful docker login
and docker pull
operations.
Breaking Change?
Yes - This deprecation contains a breaking change as it will affect existing workflows that use tokens without the required scopes.
Affected Customers
Who is affected by this deprecation:
-
GitLab.com -
Self-managed -
Dedicated
What pricing tiers are impacted:
-
GitLab Free -
GitLab Premium -
GitLab Ultimate
Deprecation Milestone
This deprecation will be announced in milestone: 17.9
Planned Removal Milestone
The feature / functionality will be removed in milestone: 18.0
Rollout Plan
DRI Engineers: @10io DRI Engineering Manager: @crystalpoole
-
Describe rollout plans on GitLab.com -
Link to a feature flag rollout issue that covers: - Expected release date on GitLab.com and GitLab version
- Rollout timelines
- Creation of any clean-up issues
Migration Steps
Users need to:
- Create new access tokens with the required scopes (
read_registry
andwrite_registry
) - Update workflow variables and scripts with the new tokens
- Test their pipelines and workflows with the new tokens before the breaking change is implemented
Development Tasks
-
Implement scope logging during authentication - MR: !181756 (merged) -
Implement scope checking during authentication, behind a feature flag - MR: !182559 (merged) -
Create migration documentation -
Test impact on existing workflows -
Rollout the feature flag -
Cleanup the packages_dependency_proxy_containers_scope_check
feature flag
Impact Assessment
- Severity: High
- Scope: Group
- Resolution role: Maintainer
- Manual task required: Yes
- Implementation window: 3 months