Clarify Container Registry token permission
What does this MR do and why?
Creating a token that has only write permissions results in a token that can't do anything: In order to push an image, you also need to be able to read. This is mentioned in one place in the docs, but wrong or misleading in others (1, 2, 3, 4), as well as in the application itself.
This frequently causes confusion for users, who assume that a token with only write_registry
would be enough to push images. A recent example would be
I was initially confused a little by our current wording for deploy tokens: Allows read and write access to registry images.
– that is so clearly mentioning read permissions that I was wondering if it might be technically correct in some way. But I did some tests and best I can tell that wording is simply incorrect. A token with only write_registry
can't push an image, and it also can't pull
an image. If it does have some form of "read access" I'm unable to determine how that manifests. Either way I believe that the text should align with what is relevant to people in practice.
I performed this test with a:
- Deploy Token
- Personal Access Token
- Project Access Token
- Group Access Token
In every instance a token that has only write_registry
is unusable. You get a denied: requested access to the resource is denied
error when trying to pull as well as trying to push. That is expected, but our language to highlight this is insufficient.
Relevant groups
- groupcontainer registry because that's what is being accessed
- groupenvironments owns Deploy Tokens
- groupauthentication owns GrAt, PrAT and PAT
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
The UI (text) changes in the application are in:
-
/-/user_settings/personal_access_tokens
(click "Add New Token") -
/your-namespace/your-project/-/settings/repository
(click "Add Token" in the Deploy tokens section) -
/your-namespace/your-project/-/settings/access_tokens
(click "Add New Token") -
/groups/your-namespace/-/settings/access_tokens
(click "Add New Token")