Change labels for token access settings (!126894) · Merge requests · GitLab.org / GitLab

Miranda Fluharty requested to merge 411406-match-token-access-setting-language-to-functionality into master Jul 18, 2023

What does this MR do and why?

For #411406 (closed)

Change labels for token access settings

Clarify that token access settings toggles mean:

when disabled, any project can use CI_JOB_TOKEN to access this project
when enabled, only allowed projects can use CI_JOB_TOKEN access

for both inbound and outbound (deprecated) token access settings, and
without changing the toggle functionality

Changelog: fixed

Why?: The disabled state behavior of these toggles is confusing to users, especially the first one given that its label says "Allow X" but it actually does the opposite - it would've made more sense to introduce this feature with the more secure option (limit access to projects on the allowlist) selected, but that would have been a breaking change.

Screenshots or screen recordings

Before	After

Allow access to this project with a CI_JOB_TOKEN Manage which projects can use their CI_JOB_TOKEN to access this project.	Limit access to this project Prevent access to this project from other project CI/CD job tokens, unless the other project is added to the allowlist.
Limit CI_JOB_TOKEN access Select the projects that can be accessed by API requests authenticated with this project's CI_JOB_TOKEN CI/CD variable.	*Limit access from* this project (Deprecated)** Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist.

How to set up and validate locally

To find and use these toggles

navigate to a project
in the sidebar, choose Settings => CI/CD
expand the Token Access section

To test the feature itself

set up Container Registry for gdk
create a namespace with a private project and a test project (for example, my-namespace/my-private-project and my-namespace/test-project)
create a tagged image in the container registry for one of the projects (in my-namespace/my-private-project, create a my-image:latest container image)
disable the Limit access to this project toggle in the CI/CD settings for my-namespace/my-private-project
add this job to the pipeline for the test project in the same namespace: (in my-namespace/test-project)

test-job:
    image: registry.test:5000/my-private-project/my-image:latest
    script:
        - echo 'Hello world'

run a pipeline for the test project - it should pull the image from the other project's container registry
enable the Limit access to this project toggle in the CI/CD settings for my-namespace/my-private-project
run a pipeline for the test project - it should fail to pull the image from the other project's container registry with an error message like this:

ERROR: Job failed: failed to pull image "registry.test:5000/my-private-project/my-image:latest" with specified policies [always]: Error response from daemon: pull access denied for registry.test:5000/my-private-project/my-image, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

To run the tests

yarn install && yarn jest token_access

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 20, 2023 by Marcel Amirault