mirror of
https://github.com/gitlabhq/gitlabhq.git
synced 2025-07-23 02:54:40 +00:00
21 lines
1.5 KiB
YAML
21 lines
1.5 KiB
YAML
- title: "Dependency Proxy token scope enforcement"
|
|
announcement_milestone: "17.9"
|
|
removal_milestone: "18.0"
|
|
breaking_change: true
|
|
reporter: trizzi
|
|
stage: Package
|
|
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/426887
|
|
impact: high
|
|
scope: group
|
|
resolution_role: maintainer
|
|
manual_task: true
|
|
window: "3"
|
|
body: |
|
|
The Dependency Proxy for containers accepts `docker login` and `docker pull` requests using personal access tokens or group access tokens without validating their scopes.
|
|
|
|
In GitLab 18.0, the Dependency Proxy will require both `read_registry` and `write_registry` scopes for authentication. After this change, authentication attempts using tokens without these scopes will be rejected.
|
|
|
|
This is a breaking change. Before you upgrade, create new access tokens with the [required scopes](https://docs.gitlab.com/user/packages/dependency_proxy/#authenticate-with-the-dependency-proxy-for-container-images), and update your workflow variables and scripts with these new tokens.
|
|
|
|
To assess how this change impacts your GitLab Self-Managed instance, you can monitor authentication logs for warning messages in GitLab 17.10 and later. In your `auth_json.log` file, look for entries that contain `Dependency proxy missing authentication abilities`. If you're using GitLab Helm charts or GitLab Dedicated, then the logs will be in `component: "gitlab"` and `subcomponent: "auth_json"`. These entries show authentication attempts using tokens without the required scopes, which will fail after upgrading to GitLab 18.0.
|