Skip to content

Mention Container Registry and Dependency Proxy in api scope

João Pereira requested to merge update-api-scope-desc into master

What does this MR do and why?

The api scope for access tokens grants read and write access to the Container Registry and Dependency Proxy. However, the documentation and UI do not reflect that. This was found during the review of !129697 (merged).

Documentation

  1. There is no mention to the api scope at https://docs.gitlab.com/ee/user/packages/dependency_proxy/:

    image

  2. We only mention the Package Registry (not the Container Registry and Dependency Proxy) at https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#scopes-for-a-group-access-token:

    image

UI

  1. No mention to the dependency proxy at https://gitlab.com/-/profile/personal_access_tokens:

    api_pat_before_ui

  2. No mention to the dependency proxy and container registry at http://gitlab.com/groups/my-group/-/settings/access_tokens:

    api_gat_before_ui

Current implementation

Here is the code path for the api scope, which includes admin_container_image, thus granting read/write access to the Container Registry and Dependency Proxy (the latter reuses the read_registry and write_registry container registry scopes): lib/gitlab/auth.rb#L271 > lib/gitlab/auth.rb#L390

Screenshots or screen recordings

  1. https://gitlab.com/-/profile/personal_access_tokens:

    api_pat_after_ui

  2. http://gitlab.com/groups/my-group/-/settings/access_tokens

    api_gat_after_ui

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by João Pereira

Merge request reports