Route request via token contains
See https://docs.gitlab.com/ee/architecture/blueprints/cells/routing-service.html for background
- Assume the Cell is configured to generate all secrets and session cookies with a prefix.
- The routing service will route to that cell if it reads such a header like
GITLAB_TOKEN
that matches the prefix, following https://docs.gitlab.com/ee/architecture/blueprints/cells/routing-service.html#router-configured-to-perform-static-routing-
priority
for this rule is to be determined
-
NOTE, there are many different types of Tokens so we may need to prioritize which ones to implement first:
-
GITLAB_TOKEN
header (personal access tokens) -
Authorization: Bearer
for Direct Transfer (#434968 (comment 1760557290)) UNLEASH-INSTANCEID
header- Others
Proposal
- Update the Rails application to have tokens be prefixable via the organization or another top-level actor.
- We need to keep in mind that if an organization gets moved to a different cell, the token needs to continue to work.
- Update the router rules generated by the Rails application with the appropriate rules for tokens. NOTE: the router will need to call classify service
- Ensure all secret detection code (e.g. regexes) are updated to match un-Cell-prefixed and Cell-prefixed tokens
- For the PoC: https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/lib/utils/secret_detection.js
- Before productionizing, there is a list of places here: https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#token-prefixes
Edited by Thong Kuah