"Admin Area Protected Paths" is not compatible with "Git and container registry failed authentication ban"
Summary
It is currently not possible to migrate from Omnibus protected paths throttle to the new Admin Area protected paths throttle, while using Git and container registry failed authentication ban.
Because the Omnibus gitlab.rb setting gitlab_rails['rack_attack_git_basic_auth']['enabled']
when true:
- Disables Admin Area protected paths (in favor of Omnibus protected paths)
- Enables Git and container registry failed authentication ban
And when false:
- Allows usage of Admin Area protected paths
- Disables Git and container registry failed authentication ban
See discussion here #34212 (comment 247319683)
Possible fixes
-
Introduce a gitlab.rb
settinggitlab_rails['rack_attack_admin_area_protected_paths_enabled'] = true
which prioritizes Admin Area protected paths over Omnibus protected paths. If false or unset, it has no effect. -
Update doc https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#migrate-settings-from-gitlab-123-and-earlier -
Inform people who disabled rack_attack_git_basic_auth
that they may wish to turn it back on to reenable the Git and container registry authentication ban
Edited by Michael Kozono