(Rails) Support Personal Access Token (PAT) authentication with `user_access`
Description
This issue is to implement Personal Access Token authentication with user_access
keyword. This is useful to support agent access from the local terminal. See Design: Provide a user-based kubeconfig using t... (#331431) for more information.
It's also possible to use Project access tokens as it's basically service account + PAT.
Since glab
uses PAT for authentication, we can easily generate KUBECONFIG
for Design: Provide a user-based kubeconfig using t... (#331431).
A few notes:
- We've already implemented Browser cookie on GitLab frontend.
Implementation Guide
See full comment here: #409028 (comment 1487010922)
- Implement new
k8s_proxy
scope for PATs- *Awaiting input from
@dblessing
, see #409028 (comment 1488081442) *
- *Awaiting input from
- We need to extend the internal Kubernetes API endpoint at
/kubernetes/authorize_proxy_user
with a newaccess_type
that isaccess_token
. The current implementation always expects theaccess_type
to besession_cookie
. - The only difference to the current implementation is how to get an authorized user from the provided access token.
- For finding the user we should be able to use something like
find_user_from_access_token
- We also want to make sure that the provided token ONLY has the new
k8s_proxy
scope - The actual authorization for the agent is done in the Agent finder.
- For finding the user we should be able to use something like
KAS Implementation Issue is here: Support Personal Access Token (PAT) authenticat... (gitlab-org/cluster-integration/gitlab-agent#439 - closed)
Edited by Timo Furrer