英文:
Does "Allow access to this project with a CI_JOB_TOKEN" in GitLab work between private repositories?
问题
I am part of a private group (our team in our department). All underlying projects and subgroups can only be private (this is how GitLab works) and we all have at least Report-level access to those. Not to be confused with the personal namespace for each user!
我是私人团队中的一员(我们部门的团队)。所有底层项目和子组只能是私有的(这是GitLab的工作方式),我们都至少具有报告级别的访问权限。
I have created a subgroup with multiple repositories inside for a large Django project I am working on. One of the repositories (main, also includes manage.py
as well as the Django project main files that are used by django-admin
to configure and run the whole project) is referencing a couple of the others as submodules (Django apps).
我创建了一个子组,其中包含多个存储库,用于我正在开发的大型Django项目。其中一个存储库(主要存储库,还包括manage.py
以及由django-admin
用于配置和运行整个项目的Django主文件)引用了其他一些存储库作为子模块(Django应用程序)。
I am trying to create a building job using Kaniko that is configured in the main repo and uses both the repo's own code as well as all the submodules to make the application complete. Sadly, I am encountering an authentication problem.
我正在尝试使用在主存储库中配置的Kaniko创建构建作业,并使用存储库自己的代码以及所有子模块来完成应用程序。不幸的是,我遇到了身份验证问题。
Even though I am the owner of the subgroup as well as the repos inside, cloning a submodule apparently still requires username and password. My setup does not allow me to use git config
to add the required credentials - an automatically generated CI user and CI_JOB_TOKEN
- I decided to look into sharing these credentials among all repos that are in some way linked (main repo + submodules).
尽管我是子组和内部存储库的所有者,但显然克隆子模块仍然需要用户名和密码。我的设置不允许我使用git config
来添加所需的凭据 - 自动生成的CI用户和CI_JOB_TOKEN
- 我决定研究如何在某种方式上连接的所有存储库之间共享这些凭据(主存储库+子模块)。
In the CI/CD section of the Web UI in GitLab I have the following option:
在GitLab的Web UI中的CI/CD部分,我有以下选项:
I tried to set the path to the project to my main repo that uses the current repo as a submodule. However, I am getting
我尝试将项目路径设置为使用当前存储库作为子模块的主要存储库。然而,我遇到了以下错误消息:
The target_project that you are attempting to access does not exist or you don't have permission to perform this action
您尝试访问的目标项目不存在,或您没有执行此操作的权限。
The project does exist (tried with and without the .git
suffix) so the only thing that remains is, yet again a credentials issue.
项目确实存在(尝试了包括和不包括.git
后缀的情况),所以唯一剩下的问题再次是凭据问题。
I might have missed a hint but the official documentation doesn't say that private repos cannot share a token.
我可能错过了一些提示,但官方文档并未提到私有存储库不能共享令牌的情况。
英文:
I am part of a private group (our team in our department). All underlying projects and subgroups can only be private (this is how GitLab works) and we all have at least Report-level access to those. Not to be confused with the personal namespace for each user!
I have created a subgroup with multiple repositories inside for a large Django project I am working on. One of the repositories (main, also includes manage.py
as well as the Django project main files that are used by django-admin
to configure and run the whole project) is referencing a couple of the others as submodules (Django apps).
I am trying to create a building job using Kaniko that is configured in the main repo and uses both the repo's own code as well as all the submodules to make the application complete. Sadly, I am encountering an authentication problem.
Even though I am the owner of the subgroup as well as the repos inside, cloning a submodule apparently still requires username and password. My setup does not allow me to use git config
to add the required credentials - an automatically generated CI user and CI_JOB_TOKEN
- I decided to look into sharing these credentials among all repos that are in some way linked (main repo + submodules).
In the CI/CD section of the Web UI in GitLab I have the following option:
I tried to set the path to the project to my main repo that uses the current repo as a submodule. However, I am getting
The target_project that you are attempting to access does not exist or you don't have permission to perform this action
The project does exist (tried with and without the .git
suffix) so the only thing that remains is, yet again a credentials issue.
I might have missed a hint but the official documentation doesn't say that private repos cannot share a token.
答案1
得分: 1
检查一下GitLab 16.1(2023年6月)是否有帮助:
> ## CI/CD作业令牌范围API端点
>
> 从GitLab 16.0开始,默认的CI/CD作业令牌(CI_JOB_TOKEN
)范围发生了变化适用于所有新项目。这提高了新项目的安全性,但为使用自动化创建项目的用户增加了额外的步骤。有时自动化还必须配置作业令牌范围,这只能通过GraphQL(或在UI中手动完成),而不能通过REST API。
>
> 为了使此设置也可以通过REST API配置,Gerardo Navarro 在16.1中添加了一个新的端点来控制作业令牌范围。对于项目中具有维护者或更高角色的用户可用。感谢这个伟大的贡献,Gerardo!
> 创建一个项目允许访问您的项目的项目白名单,可以通过其CI_JOB_TOKEN
进行访问。
>
例如,项目A可以将项目B添加到允许访问的项目列表中。项目B(“允许的项目”)中的CI/CD作业现在可以使用其CI/CD作业令牌对API调用进行身份验证以访问项目A。如果项目A是公共或内部的,则可以在不将其添加到允许访问列表中的情况下由项目B访问该项目。
>
> 默认情况下,任何项目的白名单只包括自身。
>
> 禁用此功能是一种安全风险,因此项目维护者或所有者应始终保持此设置处于启用状态。仅在需要跨项目访问时将项目添加到白名单。
英文:
Check if GitLab 16.1 (June 2023) can help:
> ## CI/CD job token scope API endpoint
>
> Starting in GitLab 16.0, the default CI/CD job token (CI_JOB_TOKEN
) scope changed for all new projects. This increased the security of new projects, but added an extra step for users who used automation to create projects. The automation sometimes has to configure the job token scope as well, which could only be done with GraphQL (or manually in the UI), not the REST API.
>
> To make this setting configurable through the REST API as well, Gerardo Navarro added a new endpoint to control the job token scope in 16.1. It is available to users with a Maintainer or higher role in the project. Thank you for this great contribution Gerardo!
See Documentation and Issue.
> Create an allowlist of projects which can access your project through their CI_JOB_TOKEN
.
>
For example, project A can add project B to the allowlist.
CI/CD jobs in project B (the “allowed project”) can now use their CI/CD job token to authenticate API calls to access project A. If project A is public or internal, the project can be accessed by project B without adding it to the allowlist.
>
> By default, the allowlist of any project only includes itself.
>
> It is a security risk to disable this feature, so project maintainers or owners should keep this setting enabled at all times.
Add projects to the allowlist only when cross-project access is needed.
答案2
得分: 0
目前,我无法找到有关私有存储库之间共享CI作业令牌的任何信息。但处理这个问题的一种方法是将私有存储库放在一个私有组中,并创建一个作为作业令牌工作的私有令牌。我还没有尝试将这样的令牌命名为gitlab-ci-token
,但这应该可以工作。
英文:
Currently I was unable to find any information on the sharing of CI job tokens between private repositories. However one way to deal with this is to put the private repositories in a private group and create a private token that works as a job token. I haven't tried naming such a token as gitlab-ci-token
but it could work.
答案3
得分: 0
我可以确认可以将权限添加到私有项目中。问题在于GitLab的界面令人困惑,它不接受整个存储库URL,要求用户只需提供最后一部分。
我有一个具有以下URL的存储库:
https://gitlab.com/mygroup/mysubgroup/myreponame
我一直在添加整个URL路径,但我收到了相同的错误:
The target_project that you are attempting to access does not exist or you don't have permission to perform this action
后来我意识到,我只需要添加最后一部分即可:
mygroup/mysubgroup/myreponame
然后就成功了。
英文:
I can confirm that is possible to add the permission to a private project. The problem is the confusing gitlab UI that does not accept the entire URL of a repo and requires the user to inform just the final part.
I had a repo with the following url:
https://gitlab.com/mygroup/mysubgroup/myreponame
I was adding the entire url path to it, I was getting the same error:
The target_project that you are attempting to access does not exist or you don't have permission to perform this action
Then I realized that all I needed to do was add just the final part:
mygroup/mysubgroup/myreponame
And it worked.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论