Add logging and metrics for PAT scope enforcement in Dependency Proxy
Background
We are planning to enforce proper scope checking for PATs accessing the Dependency Proxy (requiring read_registry and write_registry scopes). Before implementing this breaking change, we need data on potential impact.
Proposal
Add monitoring capabilities to measure how many requests would be affected by PAT scope enforcement:
-
Logging Enhancement:
- Add logs to track authentication attempts where PATs lack required scopes
- Logs should only appear for tokens missing
read_registryorwrite_registryscopes - Include relevant metadata (e.g., group ID, request type) while respecting privacy
-
Metrics Collection:
- Implement counter metrics to track:
- Total authentication attempts
- Authentication attempts with insufficient scopes
- Calculate rejection rate percentage
- Implement counter metrics to track:
Expected Outcomes
- Quantitative data on % of requests that would be rejected
- Understanding of actual usage patterns
- Informed decision-making for rollout strategy
Implementation Notes
- Logs should be temporary and focused only on scope validation
- Metric collection should be non-intrusive
- Consider sampling if volume is high
- See logging done for Container Registry here
Related Issues
- Parent issue: #426887 (closed) (Deprecation notice)
Edited by Radamanthus Batnag