Log when container registry permissions are denied

If a user does not have access to pull or push to a container registry, the /jwt/auth endpoint can still return a 200 success but the registry may reject the request due to insufficient access. To help track down intermittent failures, we now log a warning in `auth.log` if the requested permissions don't match the granted permissions. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/23644

Log when container registry permissions are denied
If a user does not have access to pull or push to a container registry, the /jwt/auth endpoint can still return a 200 success but the registry may reject the request due to insufficient access. To help track down intermittent failures, we now log a warning in `auth.log` if the requested permissions don't match the granted permissions. Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/23644
49573bf6 · Stan Hu · a277a89b · 49573bf6 · 49573bf6 · 49573bf6
Commit 49573bf6 authored May 09, 2020 by Stan Hu
3 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -103,17 +103,19 @@ module Auth
      return unless requested_project
-      actions = actions.select do |action|
+      authorized_actions = actions.select do |action|
        can_access?(requested_project, action)
      end
-      return unless actions.present?
+      log_if_actions_denied(type, requested_project, actions, authorized_actions)
+      return unless authorized_actions.present?
      # At this point user/build is already authenticated.
      #
-      ensure_container_repository!(path, actions)
+      ensure_container_repository!(path, authorized_actions)
-      { type: type, name: path.to_s, actions: actions }
+      { type: type, name: path.to_s, actions: authorized_actions }
    end
    ##
@@ -222,5 +224,22 @@ module Auth
        REGISTRY_LOGIN_ABILITIES.include?(ability)
      end
    end
+    def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
+      return if requested_actions == authorized_actions
+      log_info = {
+        message: "Denied container registry permissions",
+        scope_type: type,
+        requested_project_path: requested_project.full_path,
+        requested_actions: requested_actions,
+        authorized_actions: authorized_actions,
+        username: current_user&.username,
+        user_id: current_user&.id,
+        project_path: project&.full_path
+      }.compact
+      Gitlab::AuthLogger.warn(log_info)
+    end
  end
 end
--- a/changelogs/unreleased/sh-log-container-registry-access-warnings.yml
+++ b/changelogs/unreleased/sh-log-container-registry-access-warnings.yml
+---
+title: Log when container registry permissions are denied
+merge_request: 31536
+author:
+type: other
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -205,6 +205,20 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'an inaccessible'
        it_behaves_like 'not a container repository factory'
+        it 'logs an auth warning' do
+          expect(Gitlab::AuthLogger).to receive(:warn).with(
+            message: 'Denied container registry permissions',
+            scope_type: 'repository',
+            requested_project_path: project.full_path,
+            requested_actions: ['*'],
+            authorized_actions: [],
+            user_id: current_user.id,
+            username: current_user.username
+          )
+          subject
+        end
      end
      context 'disallow developer to delete images since registry 2.7' do