Update deploy token package permissions
What does this MR do?
Currently, using a deploy token with write_package_registry
scope will not work with Maven packages. The mvn deploy
command will make a GET request which will require :read_package
permission, however the write_package_registry
scope does not currently include :read_package
, so the package publication will fail.
This MR adds the missing permission to group and project deploy tokens.
Screenshots (strongly suggested)
Before (mvn deploy failure)
mvn deploy -s settings.xml [INFO] Scanning for projects... [INFO] [INFO] --------------------< foo.bar.app:my-maven-package >-------------------- [INFO] Building my-maven-package 1.0-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:3.0.2:resources (default-resources) @ my-maven-package --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ my-maven-package --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:3.0.2:testResources (default-testResources) @ my-maven-package --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ my-maven-package --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ my-maven-package --- [INFO] [INFO] ------------------------------------------------------- [INFO] T E S T S [INFO] ------------------------------------------------------- [INFO] Running com.mycompany.app.AppTest [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.023 s - in com.mycompany.app.AppTest [INFO] [INFO] Results: [INFO] [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] [INFO] --- maven-jar-plugin:3.0.2:jar (default-jar) @ my-maven-package --- [INFO] Building jar: /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar [INFO] [INFO] --- maven-install-plugin:2.5.2:install (default-install) @ my-maven-package --- [INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.jar [INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/pom.xml to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.pom [INFO] [INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ my-maven-package --- Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml [WARNING] Could not transfer metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml from/to gitlab-maven (http://gdk.test:3001/api/v4/projects/22/packages/maven): Authorization failed for http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml 403 Forbidden [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.299 s [INFO] Finished at: 2020-11-13T10:12:45-07:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project my-maven-package: Failed to retrieve remote metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml: Could not transfer metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml from/to gitlab-maven (http://gdk.test:3001/api/v4/projects/22/packages/maven): Authorization failed for http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml 403 Forbidden -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
After (mvn deploy success)
mvn deploy -s settings.xml [INFO] Scanning for projects... [INFO] [INFO] --------------------< foo.bar.app:my-maven-package >-------------------- [INFO] Building my-maven-package 1.0-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-resources-plugin:3.0.2:resources (default-resources) @ my-maven-package --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/main/resources [INFO] [INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ my-maven-package --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-resources-plugin:3.0.2:testResources (default-testResources) @ my-maven-package --- [INFO] Using 'UTF-8' encoding to copy filtered resources. [INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/test/resources [INFO] [INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ my-maven-package --- [INFO] Nothing to compile - all classes are up to date [INFO] [INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ my-maven-package --- [INFO] [INFO] ------------------------------------------------------- [INFO] T E S T S [INFO] ------------------------------------------------------- [INFO] Running com.mycompany.app.AppTest [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.027 s - in com.mycompany.app.AppTest [INFO] [INFO] Results: [INFO] [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0 [INFO] [INFO] [INFO] --- maven-jar-plugin:3.0.2:jar (default-jar) @ my-maven-package --- [INFO] [INFO] --- maven-install-plugin:2.5.2:install (default-install) @ my-maven-package --- [INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.jar [INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/pom.xml to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.pom [INFO] [INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ my-maven-package --- Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.jar Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.jar (2.9 kB at 225 B/s) Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.pom Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.pom (3.2 kB at 1.7 kB/s) Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml (771 B at 394 B/s) Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml (285 B at 156 B/s) [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 31.881 s [INFO] Finished at: 2020-11-13T10:13:34-07:00 [INFO] ------------------------------------------------------------------------
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry - [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related to #282499 (closed)
Edited by Steve Abrams