Bypassing admin mode for jwtcontroller
Solves #419899 (closed)
Currently admin mode
Application setting interferes the authorization
process for admin user while docker login
. If admin mode
is enabled the login
fails with error -
Error response from daemon: Head "<registry_location>": unauthorized: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gdk.test:3443/help/user/profile/account/two_factor_authentication#troubleshooting
This should not be the case, since this is an application setting mainly applicable for Api
based requests and interactive requests
. I am skipping this check for JwtController
which will allow the admin
user to pull container image
from registry irrespective of admin mode
setting in application.
Steps to reproduce
- Admin Mode is enabled instance-wide (https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#use-the-ui-to-enable-admin-mode), that is, it will be mandatory for admins to enable admin mode on their session when they try to access the admin interface.
- Then create a PAT for the admin user with the
read_registry
&admin_mode
scopes. - Use that token to try to get a docker image from a private project where the admin user is not a member. It will fail without changes in this MR.
- Now disable the Admin Mode setting instance-wide (not in the web session of the logged-in user, that's a dynamic setting of the web session).
- Try again to pull the same image, it will work now.
Once the changes in the MR are in effect Step 3 should not fail
Edited by Smriti Garg