We have already used username and password
Users can create Personal Access Tokens
git
operationsgit
operationsPermissions inherited from user
Group Deploy Tokens (read only)
Group Access Tokens (configurable)
Project Access Tokens (configurable)
Project Deploy Token (read-only)
Project Deploy SSH Key (read-write)
Role defines the permission level
Scope specified available “features”, e.g.
(read_)?api
(read|write)_repository
create_runner
(more later)Expiration defines how long
Role: Developer
Scope: read_repository
User can pull but not push
Deploy keys belong to a user who can be blocked gitlab-org/gitlab#35779
Find and fix deploy keys using Ruby code in rails console
DeployKeysProject.with_write_access.find_each do |deploy_key_mapping|
project = deploy_key_mapping.project
deploy_key = deploy_key_mapping.deploy_key
user = deploy_key.user
access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project)
can_push = access_checker.can_do_action?(:push_code)
can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref)
next if access_checker.allowed? && can_push && can_push_to_default
puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') +
", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') +
", User: #{user.username}, User ID: #{user.id}, User state: #{user.state}"
end
Password | Personal Access Token | Personal SSH Key | Group Access Token | Group Deploy Token | Project Access Token | Project Deploy Token | Project SSH Key | |
---|---|---|---|---|---|---|---|---|
Access to Web UI | Yes | No | No | No | No | No | No | No |
Access to API | Indirect (1) | Yes | No | Yes (2) | No | Yes (3) | No | No |
Read git repository | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Write git repository | Yes | Yes | Yes | Yes | No | Yes | No | No |
Access CI variables | Yes | Yes (4) | No | Yes (4) | No | Yes (4) | No | No |
Access scope | User | User | User | Group | Group | Project | Project | Project |
Employee layoffs | Yes | Yes | Yes | No | No | No | No | Yes |
Credential reuse (5) | Possible | No | Possible | No | No | No | No | Possible |
Impact of security incident | High | High | High | Medium | Medium | Low | Low | Medium |
Recommendation | No | No | No | Limited (6) | Limited (6) | Yes | Yes | Limited (6) |