Skip to content

Do not cache container_registry_disabled policy

Jaime Martinez requested to merge 391551-deploy-token-policy-scope-update into master

What does this MR do and why?

This MR removes the scope from the container_registry_disabled policy condition. The condition depends on both the user and the subject, which leads to a behavior bug as seen in #391551 (comment 1746996328).

With this change, a deploy_token can pull images when the project is public but the container registry visibility is set to Only Project Members.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Setup the registry locally.

  2. Create a PAT with read_registry + write_registry scope

  3. Login to the registry with the PAT, e.g. docker login registry.test:5000 -u root -p $PAT

  4. Create a test project and set the visibility to "Public", but set Container Registry to Only Project Members

  5. Pull, tag and push an image to the test project

    docker pull alpine
docker tag alpine registry.test:5000/root/registry/alpine:latest
docker push registry.test:5000/root/registry/alpine:latest

  6. Logout from the registry docker logout registry.test:5000

  7. Create a deploy token with the read_registry scope

  8. Login to the registry with the deploy token docker login registry.test:5000 -u $DEPLOY_TOKEN_USERNAME -p $DEPLOY_TOKEN

  9. Checkout master

  10. Pull the image docker pull registry.test:5000/root/registry/alpine:latest

  11. An error should occur:

    Error response from daemon: pull access denied for registry.test:5000/root/registry/alpine, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

  12. Checkout these changes git checkout 391551-deploy-token-policy-scope-update

  13. Pull the image docker pull registry.test:5000/root/registry/alpine:latest successfully!

    ❯ docker pull registry.test:5000/root/registry/alpine:latest
latest: Pulling from registry.test:5000/root/registry/alpine
Digest: sha256:a70bcfbd89c9620d4085f6bc2a3e2eef32e8f3cdf5a90e35a1f95dcbd7f71548
Status: Image is up to date for registry.test:5000/root/registry/alpine:latest
registry.test:5000/root/registry/alpine:latest

Related to #391551 (closed)

Edited by Jaime Martinez

Merge request reports