Authentication


Personal Credentials

We have already used username and password

Users can create Personal Access Tokens

Users can add SSH public keys

Permissions inherited from user

Hands-On

  1. Create a personal access token
  2. (Optionally) Clone a repository using the PAT instead of the password

Group and Project Credentials 1/2


Group and Project Credentials 2/2

Scoped to group

Group Deploy Tokens (read only)

Group Access Tokens (configurable)

Scoped to project

Project Access Tokens (configurable)

Project Deploy Token (read-only)

Project Deploy SSH Key (read-write)

Hands-On

  1. Create a project deploy token
  2. (Optionally) Use it to clone the repository

Caveats 1/

Token creation can be tricky

Role defines the permission level

Scope specified available “features”, e.g.

Expiration defines how long

Example

Role: Developer

Scope: read_repository

User can pull but not push


Caveats 2/2

Deploy keys belong to a user who can be blocked gitlab-org/gitlab#35779

Find and fix deploy keys using Ruby code in rails console

DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
  project = deploy_key_mapping.project
  deploy_key = deploy_key_mapping.deploy_key
  user = deploy_key.user

  access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)
  can_push = access_checker.can_do_action?(:push_code)
  can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)

  next if access_checker.allowed? && can_push && can_push_to_default

  puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
       ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
       ", User: #{user.username}, User ID: #{user.id}, User state: #{user.state}"
end

Comparison

  Password Personal Access Token Personal SSH Key Group Access Token Group Deploy Token Project Access Token Project Deploy Token Project SSH Key
Access to Web UI Yes No No No No No No No
Access to API Indirect (1) Yes No Yes (2) No Yes (3) No No
Read git repository Yes Yes Yes Yes Yes Yes Yes Yes
Write git repository Yes Yes Yes Yes No Yes No No
Access CI variables Yes Yes (4) No Yes (4) No Yes (4) No No
Access scope User User User Group Group Project Project Project
Employee layoffs Yes Yes Yes No No No No Yes
Credential reuse (5) Possible No Possible No No No No Possible
Impact of security incident High High High Medium Medium Low Low Medium
Recommendation No No No Limited (6) Limited (6) Yes Yes Limited (6)