Introduce write_virtual_registry scope

Radamanthus Batnagrequested to merge
336800-introduce-dependency-proxy-scopes into master

Context

Up to this point, Dependency proxy for containers has been using the Container Registry permissions read_registry and write_registry.

Virtual Registry for Packages is currently being developed, and we will eventually rename Dependency Proxy for Containers as Virtual Registry for Containers. We'll also use the same set of permissions (initially). Now is a good time to have dedicated scopes for these features.

We already have the read_virtual_registry scope, so we only need to add the write_virtual_registry scope and treat them as analogs of the read_registry and write_registry scopes that Dependency Proxy used to use.

Roadmap

We'll introduce the changes across several MRs:

  • Introduce the write_virtual_registry scope <- We are here
    • personal access tokens, group access tokens and deploy tokens with new scopes can be created using the API
  • UI changes + Doc changes
    • personal access tokens, group access tokens and deploy tokens with new scopes can be created using the UI
  • We start checking and accepting the new scopes
    • Old tokens with read_registry and write_registry are still accepted - support for these will be removed in a breaking change
    • Tokens with the new scopes will be accepted

What does this MR do and why?

In this MR we add the DB column and constants for the new write_virtual_registry scope. Tokens with the new scopes can be created, but we do not yet check against these scopes.

References

#336800 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

NA. There are no UI changes 🌈

How to set up and validate locally

Have a personal access token for an administrator ready.

  1. Test that old scopes still work. Create a new personal access token with the old scopes:
curl --request POST --header "PRIVATE-TOKEN: <admin personal-access-token>" \
  --data "name=testcontrol" --data "expires_at=2025-04-04" \
  --data "scopes[]=api,read_registry,write_registry" \
  "http://gdk.test:3000/api/v4/users/1/personal_access_tokens"
  1. Create a new personal access token with the new scopes
curl --request POST --header "PRIVATE-TOKEN: <admin personal-access-token>" \
  --data "name=testread" --data "expires_at=2025-04-04" \
  --data "scopes[]=api,read_virtual_registry,write_virtual_registry" \ 
  "http://gdk.test:3000/api/v4/users/<user_id_of_admin>/personal_access_tokens"
  1. Create a new group access token with the new scopes
curl --request POST --header "PRIVATE-TOKEN: <admin-personal-access-token>" \
  --header "Content-Type:application/json" \
  --data '{ "name":"test_token", "scopes":["api", "read_virtual_registry", "write_virtual_registry"], "expires_at":"2025-01-31", "access_level": 30 }' \
  "http://gdk.test:3000/api/v4/groups/<group_id>/access_tokens"
  1. Create a new deploy token with the new scopes
curl --request POST --header "PRIVATE-TOKEN: <admin-personal-access-token>" 
  --header "Content-Type: application/json" \
  --data '{"name": "My deploy token", "expires_at": "2025-01-01", "username": "<admin-username>", "scopes": ["read_virtual_registry", "write_virtual_registry"]}' \
  "http://gdk.test:3000/api/v4/groups/<group-id>/deploy_tokens/"

Related to #336800 (closed)

Edited by Radamanthus Batnag

Merge request reports