Skip to content

Clarify Container Registry token permission

Manuel Grabowski requested to merge mg-clarify-deploy-token-permissions-20240202 into master

What does this MR do and why?

Creating a token that has only write permissions results in a token that can't do anything: In order to push an image, you also need to be able to read. This is mentioned in one place in the docs, but wrong or misleading in others (1, 2, 3, 4), as well as in the application itself.

This frequently causes confusion for users, who assume that a token with only write_registry would be enough to push images. A recent example would be 🎫 #490732 (internal)

I was initially confused a little by our current wording for deploy tokens: Allows read and write access to registry images. – that is so clearly mentioning read permissions that I was wondering if it might be technically correct in some way. But I did some tests and best I can tell that wording is simply incorrect. A token with only write_registry can't push an image, and it also can't pull an image. If it does have some form of "read access" I'm unable to determine how that manifests. Either way I believe that the text should align with what is relevant to people in practice.

I performed this test with a:

  1. Deploy Token
  2. Personal Access Token
  3. Project Access Token
  4. Group Access Token

In every instance a token that has only write_registry is unusable. You get a denied: requested access to the resource is denied error when trying to pull as well as trying to push. That is expected, but our language to highlight this is insufficient.

Relevant groups

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
gdk.test_3000_-user_settings_personal_access_tokens__1 gdk.test_3000_-_user_settings_personal_access_tokens
gdk.test_3000_flightjs_Flight_-settings_repository__1 gdk.test_3000_flightjs_Flight_-_settings_repository
gdk.test_3000_flightjs_Flight_-settings_access_tokens__1 gdk.test_3000_flightjs_Flight_-_settings_access_tokens
gdk.test_3000_groups_flightjs_-settings_access_tokens__1 gdk.test_3000_groups_flightjs_-_settings_access_tokens

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

The UI (text) changes in the application are in:

  • /-/user_settings/personal_access_tokens (click "Add New Token")
  • /your-namespace/your-project/-/settings/repository (click "Add Token" in the Deploy tokens section)
  • /your-namespace/your-project/-/settings/access_tokens (click "Add New Token")
  • /groups/your-namespace/-/settings/access_tokens (click "Add New Token")

Merge request reports