Change labels for token access settings
What does this MR do and why?
For #411406 (closed)
Change labels for token access settings
Clarify that token access settings toggles mean:
- when disabled, any project can use CI_JOB_TOKEN to access this project
- when enabled, only allowed projects can use CI_JOB_TOKEN access
for both inbound and outbound (deprecated) token access settings, and
without changing the toggle functionality
Changelog: fixed
Why?: The disabled state behavior of these toggles is confusing to users, especially the first one given that its label says "Allow X" but it actually does the opposite - it would've made more sense to introduce this feature with the more secure option (limit access to projects on the allowlist) selected, but that would have been a breaking change.
Screenshots or screen recordings
How to set up and validate locally
To find and use these toggles
- navigate to a project
- in the sidebar, choose
Settings
=>CI/CD
- expand the
Token Access
section
To test the feature itself
- set up Container Registry for gdk
- create a namespace with a private project and a test project (for example,
my-namespace/my-private-project
andmy-namespace/test-project
) - create a tagged image in the container registry for one of the projects (in
my-namespace/my-private-project
, create amy-image:latest
container image) -
disable the
Limit access to this project
toggle in the CI/CD settings formy-namespace/my-private-project
- add this job to the pipeline for the test project in the same namespace: (in
my-namespace/test-project
)
test-job:
image: registry.test:5000/my-private-project/my-image:latest
script:
- echo 'Hello world'
- run a pipeline for the test project - it should pull the image from the other project's container registry
-
enable the
Limit access to this project
toggle in the CI/CD settings formy-namespace/my-private-project
- run a pipeline for the test project - it should fail to pull the image from the other project's container registry with an error message like this:
ERROR: Job failed: failed to pull image "registry.test:5000/my-private-project/my-image:latest" with specified policies [always]: Error response from daemon: pull access denied for registry.test:5000/my-private-project/my-image, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
To run the tests
yarn install && yarn jest token_access
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Marcel Amirault