Commit 49573bf6 authored by Stan Hu's avatar Stan Hu

Log when container registry permissions are denied

If a user does not have access to pull or push to a container registry,
the /jwt/auth endpoint can still return a 200 success but the registry
may reject the request due to insufficient access. To help track down
intermittent failures, we now log a warning in `auth.log` if the
requested permissions don't match the granted permissions.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/23644
parent a277a89b
...@@ -103,17 +103,19 @@ module Auth ...@@ -103,17 +103,19 @@ module Auth
return unless requested_project return unless requested_project
actions = actions.select do |action| authorized_actions = actions.select do |action|
can_access?(requested_project, action) can_access?(requested_project, action)
end end
return unless actions.present? log_if_actions_denied(type, requested_project, actions, authorized_actions)
return unless authorized_actions.present?
# At this point user/build is already authenticated. # At this point user/build is already authenticated.
# #
ensure_container_repository!(path, actions) ensure_container_repository!(path, authorized_actions)
{ type: type, name: path.to_s, actions: actions } { type: type, name: path.to_s, actions: authorized_actions }
end end
## ##
...@@ -222,5 +224,22 @@ module Auth ...@@ -222,5 +224,22 @@ module Auth
REGISTRY_LOGIN_ABILITIES.include?(ability) REGISTRY_LOGIN_ABILITIES.include?(ability)
end end
end end
def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
return if requested_actions == authorized_actions
log_info = {
message: "Denied container registry permissions",
scope_type: type,
requested_project_path: requested_project.full_path,
requested_actions: requested_actions,
authorized_actions: authorized_actions,
username: current_user&.username,
user_id: current_user&.id,
project_path: project&.full_path
}.compact
Gitlab::AuthLogger.warn(log_info)
end
end end
end end
---
title: Log when container registry permissions are denied
merge_request: 31536
author:
type: other
...@@ -205,6 +205,20 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -205,6 +205,20 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'an inaccessible' it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
it 'logs an auth warning' do
expect(Gitlab::AuthLogger).to receive(:warn).with(
message: 'Denied container registry permissions',
scope_type: 'repository',
requested_project_path: project.full_path,
requested_actions: ['*'],
authorized_actions: [],
user_id: current_user.id,
username: current_user.username
)
subject
end
end end
context 'disallow developer to delete images since registry 2.7' do context 'disallow developer to delete images since registry 2.7' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment