Skip to content

Log when container registry permissions are denied

Stan Hu requested to merge sh-log-container-registry-access-warnings into master

If a user does not have access to pull or push to a container registry, the /jwt/auth endpoint can still return a 200 success but the registry may reject the request due to insufficient access. To help track down intermittent failures, we now log a warning in auth.log if the requested permissions don't match the granted permissions.

Relates to #23644 (closed)

Example

{
  "severity": "WARN",
  "time": "2020-05-10T04:04:43.834Z",
  "correlation_id": "dc5303995c85257d25afe0ab4008def3",
  "message": "Denied container registry permissions",
  "scope_type": "repository",
  "requested_project_path": "namespace7/project7",
  "requested_actions": [
    "*"
  ],
  "authorized_actions": [],
  "username": "user14",
  "user_id": 14
}
Edited by Stan Hu

Merge request reports

Loading