Skip to content
代码片段 群组 项目
提交 dd99e19d 编辑于 作者: João Pereira's avatar João Pereira 提交者: Phillip Wells
浏览文件

Mention Container Registry and Dependency Proxy in api scope 

The `api` scope for access tokens grants read and write access to the
Container Registry and Dependency Proxy. However, the documentation
and UI do not reflect that, they only mention the Package Registry.
This change updates the UI and documentation to reflect the current
behavior.

Changelog: changed
上级 58fa6d96
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
config/locales/doorkeeper.en.yml
+ 6
6
浏览文件 @ dd99e19d
......@@ -81,7 +81,7 @@ en:
ai_features: Access to API endpoints needed for GitLab Duo features
scope_desc:
api:
Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry.
read_api:
Grants read access to the API, including all groups and projects, the container registry, and the package registry.
read_user:
......@@ -116,9 +116,9 @@ en:
Grants permission to perform Kubernetes API calls using the agent for Kubernetes.
group_access_token_scope_desc:
api:
Grants complete read and write access to the scoped group and related project API, including the Package Registry.
Grants complete read and write access to the scoped group and related project API, including the container registry, the dependency proxy, and the package registry.
read_api:
Grants read access to the scoped group and related project API, including the Package Registry.
Grants read access to the scoped group and related project API, including the package registry.
read_user:
Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
read_repository:
......@@ -126,9 +126,9 @@ en:
write_repository:
Grants read and write access (pull and push) to all repositories within a group.
read_registry:
Grants read access (pull) to the Container Registry images if any project within a group is private and authorization is required.
Grants read access (pull) to the container registry images if any project within a group is private and authorization is required.
write_registry:
Grants write access (push) to the Container Registry.
Grants write access (push) to the container registry.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
......@@ -151,7 +151,7 @@ en:
Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group.
project_access_token_scope_desc:
api:
Grants complete read and write access to the scoped project API, including the Package Registry.
Grants complete read and write access to the scoped project API, including the container registry, the dependency proxy, and the package registry.
read_api:
Grants read access to the scoped project API, including the Package Registry.
read_repository:
......
doc/integration/oauth_provider.md
+ 1
1
浏览文件 @ dd99e19d
......@@ -99,7 +99,7 @@ different actions. See the following table for all available scopes.
| Scope | Description |
|--------------------| ----------- |
| `api` | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
| `api` | Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. |
| `read_user` | Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users. |
| `read_api` | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_repository` | Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API. |
......
doc/user/group/settings/group_access_tokens.md
+ 11
11
浏览文件 @ dd99e19d
......@@ -143,17 +143,17 @@ token.revoke!
The scope determines the actions you can perform when you authenticate with a group access token.
| Scope | Description |
|:-------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read and write access to the scoped group and related project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped group and related project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if any project within a group is private and authorization is required. |
| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). |
| `read_repository` | Grants read access (pull) to all repositories within a group. |
| `write_repository` | Grants read and write access (pull and push) to all repositories within a group. |
| `create_runner` | Grants permission to create runners in a group. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. |
| Scope | Description |
|:-------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read and write access to the scoped group and related project API, including the [container registry](../../packages/container_registry/index.md), the [dependency proxy](../../packages/dependency_proxy/index.md), and the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped group and related project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if any project within a group is private and authorization is required. |
| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). |
| `read_repository` | Grants read access (pull) to all repositories within a group. |
| `write_repository` | Grants read and write access (pull and push) to all repositories within a group. |
| `create_runner` | Grants permission to create runners in a group. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. |
## Enable or disable group access token creation
......
doc/user/packages/dependency_proxy/index.md
+ 2
2
浏览文件 @ dd99e19d
......@@ -86,9 +86,9 @@ docker login gitlab.example.com --username my_username --password my_password
You can authenticate using:
- Your GitLab username and password.
- A [personal access token](../../../user/profile/personal_access_tokens.md) with the scope set to `read_registry` and `write_registry`.
- A [personal access token](../../../user/profile/personal_access_tokens.md) with the scope set to `read_registry` and `write_registry`, or to `api`.
- A [group deploy token](../../../user/project/deploy_tokens/index.md) with the scope set to `read_registry` and `write_registry`.
- A [group access token](../../../user/group/settings/group_access_tokens.md) for the group, with the scope set to `read_registry` and `write_registry`.
- A [group access token](../../../user/group/settings/group_access_tokens.md) for the group, with the scope set to `read_registry` and `write_registry`, or to `api`.
Users accessing the Dependency Proxy with a personal access token or username and password must
have at least the Guest role for the group they pull images from.
......
doc/user/profile/personal_access_tokens.md
+ 13
13
浏览文件 @ dd99e19d
......@@ -112,20 +112,20 @@ To view the last time a token was used:
A personal access token can perform actions based on the assigned scopes.
| Scope | Access |
|--------------------|--------|
| `api` | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_user` | Grants read-only access to the authenticated user's profile through the `/user` API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under [`/users`](../../api/users.md). |
| `read_api` | Grants read access to the API, including all groups and projects, the container registry, and the package registry. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) in GitLab 12.10.) |
| `read_repository` | Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API. |
| `write_repository` | Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
| `read_registry` | Grants read-only (pull) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. |
| Scope | Access |
|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. |
| `read_user` | Grants read-only access to the authenticated user's profile through the `/user` API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under [`/users`](../../api/users.md). |
| `read_api` | Grants read access to the API, including all groups and projects, the container registry, and the package registry. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) in GitLab 12.10.) |
| `read_repository` | Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API. |
| `write_repository` | Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
| `read_registry` | Grants read-only (pull) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. |
| `write_registry` | Grants read-write (push) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28958) in GitLab 12.10.) |
| `sudo` | Grants permission to perform API actions as any user in the system, when authenticated as an administrator. |
| `admin_mode` | Grants permission to perform API actions as an administrator, when Admin Mode is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107875) in GitLab 15.8.) |
| `create_runner` | Grants permission to create runners. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. |
| `sudo` | Grants permission to perform API actions as any user in the system, when authenticated as an administrator. |
| `admin_mode` | Grants permission to perform API actions as an administrator, when Admin Mode is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107875) in GitLab 15.8.) |
| `create_runner` | Grants permission to create runners. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. |
WARNING:
If you enabled [external authorization](../admin_area/settings/external_authorization.md), personal access tokens cannot access container or package registries. If you use personal access tokens to access these registries, this measure breaks this use of these tokens. Disable external authorization to use personal access tokens with container or package registries.
......
doc/user/project/settings/project_access_tokens.md
+ 11
11
浏览文件 @ dd99e19d
......@@ -88,17 +88,17 @@ The scope determines the actions you can perform when you authenticate with a pr
NOTE:
See the warning in [create a project access token](#create-a-project-access-token) regarding internal projects.
| Scope | Description |
|:-------------------|:---------------------------------------|
| `api` | Grants complete read and write access to the scoped project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
| `write_registry` | Grants write access (push) to the [Container Registry](../../packages/container_registry/index.md). |
| `read_repository` | Grants read access (pull) to the repository. |
| `write_repository` | Grants read and write access (pull and push) to the repository. |
| `create_runner` | Grants permission to create runners in the project. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project. |
| Scope | Description |
|:-------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read and write access to the scoped project API, including the [container registry](../../packages/container_registry/index.md), the [dependency proxy](../../packages/dependency_proxy/index.md), and the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). |
| `read_repository` | Grants read access (pull) to the repository. |
| `write_repository` | Grants read and write access (pull and push) to the repository. |
| `create_runner` | Grants permission to create runners in the project. |
| `ai_features` | Grants permission to perform API actions for GitLab Duo. |
| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project. |
## Enable or disable project access token creation
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册