Use the Dependency Proxy with private GitLab projects

Problem to solve

We introduced the dependency proxy for containers with https://gitlab.com/gitlab-org/gitlab-ee/issues/7934. The MVC feature is only enabled for public projects because the caching proxy does not yet support authentication. In order to make it available to all projects, we need to add authentication in order to avoid a potential DDoS where someone is making unauthorized requests against a private proxy.

Intended users

• Software Developer
• DevOps Engineer
• Systems Administrator

Proposal

Add authentication for private projects, based on appropriate credentials for that project.

1. When user executes docker pull command it will make a request to GitLab Dependency proxy URL.
2. When the request hits DependencyProxyForContainersController for private group we return 401. With WWW-Authenticate header realm pointing toward some auth route.
3. This will make docker client send a request to provided auth route with username and password (or PAT).
4. We check user/password combination and return OAuth2 token if OK.
5. This will make docker client send a repeating request to DependencyProxyForContainersController but now with OAuth2 token added to header. We use OAuth2 token for to set current_user variable and check for access to private group. Then we proceed with the request like we do for a public group.

Further details

Permissions and Security

• The proxy will require authentication to avoid utilization of bandwidth or storage resources by an unauthorized user in a denial-of-service scenario, in particular for gitlab.com where everything is publicly routable. This could be achieved through asking the proxy to fetch remote resources until the storage is full.
• The feature belongs at the group level, but complicates authentication because a group can contain a mix of public and private projects, with different permissions. One straightforward option here is to allow usage of a project token from any project that is a member of the group to authenticate.

Documentation

We will update the Dependency Proxy Documentation to include details about authentication.

Testing

• Test authentication for private projects, groups and sub-groups
• Test private projects that haven't authenticated
• Automate the feature test to use of dependency proxy with a private project

What does success look like, and how can we measure that?

Success looks like we have made the dependency proxy available for private and public projects.

We do not currently have the ability to track this data, however https://gitlab.com/gitlab-org/gitlab-ce/issues/61583 will help us to start tracking and measuring this data so we can make better predictions about usage and adoption.

What is the type of buyer?

For now, the dependency proxy is focused on premium and ultimate customers.

In order to expand to additional buyer types we need to improve performance and support Unicorn. This issue details those efforts: https://gitlab.com/gitlab-org/gitlab-ee/issues/11548

Links / references

• Docker Registry Authentication Documentation
• GitLab Container Registry Documentation
• Dependency Proxy Documentation