Add write_registry scope to deploy tokens
What does this MR do?
This MR adds a new scope to deploy tokens: write_registry
, which allows the deploy token to have :create_container_image
permissions. The token allows users to push images to the container registry (where read_registry only allowed for pulling images).
Database
deploy_tokens
has less than 160000 records.
Up migration
== 20200406192059 AddWriteRegistryToDeployTokens: migrating ===================
-- transaction_open?()
-> 0.0000s
-- execute("SET statement_timeout TO 0")
-> 0.0004s
-- transaction()
-- add_column(:deploy_tokens, :write_registry, :boolean, {:default=>nil})
-> 0.0023s
-- change_column_default(:deploy_tokens, :write_registry, false)
-> 0.0038s
-> 0.0070s
-- columns(:deploy_tokens)
-> 0.0015s
-- transaction_open?()
-> 0.0000s
-- exec_query("SELECT COUNT(*) AS count FROM \"deploy_tokens\"")
-> 0.0048s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1")
-> 0.0005s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 1 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
-> 0.0004s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 1 AND \"deploy_tokens\".\"id\" < 2")
-> 0.0007s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 2 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
-> 0.0003s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 2 AND \"deploy_tokens\".\"id\" < 3")
-> 0.0005s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 3 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
-> 0.0004s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 3")
-> 0.0004s
-- change_column_null(:deploy_tokens, :write_registry, false)
-> 0.0005s
-- execute("RESET ALL")
-> 0.0002s
== 20200406192059 AddWriteRegistryToDeployTokens: migrated (0.0195s) ==========
Down migration
== 20200406192059 AddWriteRegistryToDeployTokens: reverting ===================
-- remove_column(:deploy_tokens, :write_registry)
-> 0.0014s
== 20200406192059 AddWriteRegistryToDeployTokens: reverted (0.0015s) ==========
Screenshots
Blank deploy token form with new option:
Form after successful token creation:
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides - [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related #22743 (closed)
Edited by Craig Norris