Do not cache container_registry_disabled policy
What does this MR do and why?
This MR removes the scope from the container_registry_disabled
policy condition.
The condition depends on both the user
and the subject
, which leads to a behavior bug as seen in #391551 (comment 1746996328).
With this change, a deploy_token
can pull images when the project is public but the container registry visibility is set to Only Project Members
.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
-
Setup the registry locally.
-
Create a PAT with
read_registry
+write_registry
scope -
Login to the registry with the PAT, e.g.
docker login registry.test:5000 -u root -p $PAT
-
Create a test project and set the visibility to "Public", but set Container Registry to
Only Project Members
-
Pull, tag and push an image to the test project
docker pull alpine docker tag alpine registry.test:5000/root/registry/alpine:latest docker push registry.test:5000/root/registry/alpine:latest
-
Logout from the registry
docker logout registry.test:5000
-
Create a deploy token with the
read_registry
scope -
Login to the registry with the deploy token
docker login registry.test:5000 -u $DEPLOY_TOKEN_USERNAME -p $DEPLOY_TOKEN
-
Checkout
master
-
Pull the image
docker pull registry.test:5000/root/registry/alpine:latest
-
An error should occur:
Error response from daemon: pull access denied for registry.test:5000/root/registry/alpine, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
-
Checkout these changes
git checkout 391551-deploy-token-policy-scope-update
-
Pull the image
docker pull registry.test:5000/root/registry/alpine:latest
successfully!❯ docker pull registry.test:5000/root/registry/alpine:latest latest: Pulling from registry.test:5000/root/registry/alpine Digest: sha256:a70bcfbd89c9620d4085f6bc2a3e2eef32e8f3cdf5a90e35a1f95dcbd7f71548 Status: Image is up to date for registry.test:5000/root/registry/alpine:latest registry.test:5000/root/registry/alpine:latest
Related to #391551 (closed)