Skip to content

Clarify write_registry permission

Filip Aleksic requested to merge deploy-write-access-only into master

What does this MR do and why?

  • Clarifies the wording for DeployTokens's write_registry permission, that the permission is write only, and does not include read permissions scope.

Limiting scopes of a deploy token references this and clarifies that the write_registry permission only allows write access. Checking this manually the token only grants write access, not read, therefore the UI entry needs to be updated to reflect that.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Step 1: Create a repository

Step 2: Create a key that only has write_registry permission

Step 3: Build a Dockerfile and try to pull the image with the above credentials

Example:

echo -e "\e[31mLogin with write-only token\e[0m"

podman login -u $WRITE_ONLY_USER -p $WRITE_ONLY_PASS registry.gitlab.com

echo -e "\e[31mCheck if write-only token can read\e[0m"

podman pull registry.gitlab.com/$USERNAME/$PROJECT:latest

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading