Add logging and metrics for PAT scope enforcement in Dependency Proxy
What does this MR do and why?
Add some instrumentation on Dependency proxy authentication. We want to collect data on how many users will be affected by the planned change in #426887.
References
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
NA
How to set up and validate locally
🧪 Setup
Dependency proxy is enabled by default.
Prepare two PATs:
- (1) with
read_registryandwrite_registryscopes - (2) with
read_registryscope only
Have a dependency proxy URL (e.g. gdk.test:3000/<group_id>/dependency_proxy/containers) ready.
Before running the tests, tail the authentication logs with tail -f log/auth_json.log | grep "Denied dependency proxy permissions"
🔬 Testing
- Login to Dependency proxy using PAT (1):
docker login gdk.test:3000/<group_id>/dependency_proxy/containers -u <username> -p <pat1>
Expected result: Login Succeeded
There should be no output in the auth_json.log tail.
- Login to Dependency proxy using PAT (2):
Expected result: Login Succeeded
There should be an output in the auth_json.log tail:
{"severity":"WARN","time":"2025-02-18T14:38:45.846Z","correlation_id":"01JMCQYGS1NE7JE2YBV0P8KCSS","meta.caller_id":"JwtController#auth","meta.feature_category":"container_registry","meta.organization_id":1,"meta.remote_ip":"172.16.123.1","meta.http_router_rule_action":"proxy","meta.user":"root","meta.user_id":1,"meta.client_id":"user/1","message":"Denied dependency proxy permissions","authentication_abilities":["read_container_image"],"username":"root","user_id":1}docker pull should successfully pull images for both PATs.
Example:
docker pull gdk.test:3000/flightjs/dependency_proxy/containers/alpine:latest
Related to #519395 (closed)