Skip to content

Bypassing admin mode for jwtcontroller

Smriti Garg requested to merge smriti-419899/admin_mode_pat_not_working into master

Solves #419899 (closed)

Currently admin mode Application setting interferes the authorization process for admin user while docker login. If admin mode is enabled the login fails with error -

Error response from daemon: Head "<registry_location>": unauthorized: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gdk.test:3443/help/user/profile/account/two_factor_authentication#troubleshooting

This should not be the case, since this is an application setting mainly applicable for Api based requests and interactive requests. I am skipping this check for JwtController which will allow the admin user to pull container image from registry irrespective of admin mode setting in application.

Steps to reproduce

  1. Admin Mode is enabled instance-wide (https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#use-the-ui-to-enable-admin-mode), that is, it will be mandatory for admins to enable admin mode on their session when they try to access the admin interface.
  2. Then create a PAT for the admin user with the read_registry & admin_mode scopes.
  3. Use that token to try to get a docker image from a private project where the admin user is not a member. It will fail without changes in this MR.
  4. Now disable the Admin Mode setting instance-wide (not in the web session of the logged-in user, that's a dynamic setting of the web session).
  5. Try again to pull the same image, it will work now.

Once the changes in the MR are in effect Step 3 should not fail

Edited by Smriti Garg

Merge request reports

Loading