· Nicholas Dille

Authentication

Personal Credentials

We have already used username and password

Users can create Personal Access Tokens

Used instead of password for git operations
Used to access the API (more later)

Users can add SSH public keys

Used for git operations

Permissions inherited from user

Hands-On

Create a personal access token
Clone a repository using the PAT instead of the password

Group and Project Credentials

Scoped to group

Group Deploy Tokens (read only)

Group Access Tokens (configurable)

Scoped to project

Project Access Tokens (configurable)

Project Deploy Token (read-only)

Project Deploy SSH Key (read-write)

Hands-On

Create a project deploy token
Use it to clone the repository

Caveats 1/

Token creation can be tricky

Role defines the permission level

Scope specified available “features”, e.g.

(read_)?api
(read|write)_repository
create_runner (more later)

Expiration defines how long

Example

Role: Developer

Scope: read_repository

User can pull but not push

Caveats 2/2

Deploy keys belong to a user who can be blocked gitlab-org/gitlab#35779

Find and fix deploy keys using Ruby code in rails console

DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
  project = deploy_key_mapping.project
  deploy_key = deploy_key_mapping.deploy_key
  user = deploy_key.user

  access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)
  can_push = access_checker.can_do_action?(:push_code)
  can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)

  next if access_checker.allowed? && can_push && can_push_to_default

  puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
       ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
       ", User: #{user.username}, User ID: #{user.id}, User state: #{user.state}"
end

Comparison

	Password	Personal Access Token	Personal SSH Key	Group Access Token	Group Deploy Token	Project Access Token	Project Deploy Token	Project SSH Key
Access to Web UI	Yes	No	No	No	No	No	No	No
Access to API	Indirect (1)	Yes	No	Yes (2)	No	Yes (3)	No	No
Read git repository	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Write git repository	Yes	Yes	Yes	Yes	No	Yes	No	No
Access CI variables	Yes	Yes (4)	No	Yes (4)	No	Yes (4)	No	No
Access scope	User	User	User	Group	Group	Project	Project	Project
Employee layoffs	Yes	Yes	Yes	No	No	No	No	Yes
Credential reuse (5)	Possible	No	Possible	No	No	No	No	Possible
Impact of security incident	High	High	High	Medium	Medium	Low	Low	Medium
Recommendation	No	No	No	Limited (6)	Limited (6)	Yes	Yes	Limited (6)

(1) Username and password can be used to retrieve a personal access token
(2) Group only
(3) Project only
(4) API only
(5) Can be used for multiple accounts and on multiple systems
(6) Acceptable for automation to avoid many project credentials