@@ -59,7 +59,7 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu
| `CI_JOB_NAME` | 9.0 | 0.5 | The name of the job. |
| `CI_JOB_STAGE` | 9.0 | 0.5 | The name of the job's stage. |
| `CI_JOB_STATUS` | all | 13.5 | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/README.md#after_script). Can be `success`, `failed`, or `canceled`. |
| `CI_JOB_TOKEN` | 9.0 | 1.2 | A token to authenticate with [certain API endpoints](../../api/README.md#gitlab-ci-job-token) or download [dependent repositories](../../user/project/new_ci_build_permissions_model.md#dependent-repositories). The token is valid as long as the job is running. |
| `CI_JOB_TOKEN` | 9.0 | 1.2 | A token to authenticate with [certain API endpoints](../../api/README.md#gitlab-cicd-job-token). The token is valid as long as the job is running. |
@@ -71,7 +71,7 @@ You can use the runner registration token to add runners that execute jobs in a
After registration, the runner receives an authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue. The authentication token is stored locally in the runner's [`config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) file.
After authentication with GitLab, the runner receives a [job token](../user/project/new_ci_build_permissions_model.md#job-token), which it uses to execute the job.
After authentication with GitLab, the runner receives a [job token](../api/README.md#gitlab-cicd-job-token), which it uses to execute the job.
In case of Docker Machine/Kubernetes/VirtualBox/Parallels/SSH executors, the execution environment has no access to the runner authentication token, because it stays on the runner machine. They have access to the job token only, which is needed to execute the job.
...
...
@@ -79,9 +79,9 @@ Malicious access to a runner's file system may expose the `config.toml` file and
## CI/CD job tokens
The [CI/CD](../api/README.md#gitlab-ci-job-token) job token
The [CI/CD](../api/README.md#gitlab-cicd-job-token) job token
is a short lived token only valid for the duration of a job. It gives a CI/CD job
access to a limited amount of [API endpoints](../api/README.md#gitlab-ci-job-token).
access to a limited amount of API endpoints.
API authentication uses the job token, by using the authorization of the user
triggering the job.
...
...
@@ -105,4 +105,4 @@ This table shows available scopes per token. Scopes can be limited further on to
1. Limited to the one project.
1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository
1. Limited to certain [endpoints](../api/README.md#gitlab-ci-job-token).
1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token).
info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type:reference
redirect_to:'../../ci/README.md'
---
# New CI job permissions model
This document is deprecated. See the latest [GitLab CI/CD documentation](../../ci/README.md).
> Introduced in GitLab 8.12.
GitLab 8.12 has a completely redesigned [job permissions](../permissions.md#job-permissions) system. You can find
all discussion and all our concerns when choosing the current approach in issue
Using single token had multiple security implications:
- The token would be readable to anyone who had Developer access to a project
that could run CI jobs, allowing the developer to register any specific
runner for that project.
- The token would allow to access only the project's sources, forbidding from
accessing any other projects.
- The token was not expiring and was multi-purpose: used for checking out sources,
for registering specific runners and for accessing a project's container
registry with read-write permissions.
All the above led to a new permission model for jobs that was introduced
with GitLab 8.12.
## Making use of the new CI job permissions model
With the new job permissions model, there is now an easy way to access all
dependent source code in a project. That way, we can:
1. Access a project's dependent repositories
1. Access a project's [Git submodules](../../ci/git_submodules.md)
1. Access private container images
1. Access project's and submodule LFS objects
Below you can see the prerequisites needed to make use of the new permissions
model and how that works with Git submodules and private Docker images hosted on
the container registry.
### Prerequisites to use the new permissions model
With the new permissions model in place, there may be times that your job
fails. This is most likely because your project tries to access other project's
sources, and you don't have the appropriate permissions. In the job log look
for information about 403 or forbidden access messages.
In short here's what you need to do should you encounter any issues.
As an administrator:
-**500 errors**: You need to update [GitLab Workhorse](https://gitlab.com/gitlab-org/gitlab-workhorse) to at
least 0.8.2. This is done automatically for Omnibus installations, you need to
[check manually](https://gitlab.com/gitlab-org/gitlab-foss/tree/master/doc/update) for installations from source.
-**500 errors**: Check if you have another web proxy sitting in front of NGINX (HAProxy,
Apache, etc.). It might be a good idea to let GitLab use the internal NGINX
web server and not disable it completely. See [this comment](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/22484#note_16648302) for an
example.
-**403 errors**: You need to make sure that your installation has [HTTP(S)
cloning enabled](../admin_area/settings/visibility_and_access_controls.md#enabled-git-access-protocols). HTTP(S) support is now a **requirement** by GitLab CI
to clone all sources.
As a user:
- Make sure you are a member of the group or project you're trying to have
access to. As an Administrator, you can verify that by impersonating the user
and retry the failing job in order to verify that everything is correct.
### Dependent repositories
The [CI/CD variable](../../ci/variables/README.md#predefined-cicd-variables)`CI_JOB_TOKEN` can be used to
authenticate any clones of dependent repositories. For example: