Add project access token documentation

09580937 · peterhegman · 84046205 · 09580937 · 09580937 · 09580937
Commit 09580937 authored Apr 27, 2020 by peterhegman
Showing with 75 additions and 9 deletions

doc/api/README.md doc/api/README.md +18 -9

doc/user/permissions.md doc/user/permissions.md +1 -0

doc/user/project/settings/index.md doc/user/project/settings/index.md +56 -0

No files found.
--- a/doc/api/README.md
+++ b/doc/api/README.md
@@ -77,10 +77,11 @@ authentication is not provided. For
 those cases where it is not required, this will be mentioned in the documentation
 for each individual endpoint. For example, the [`/projects/:id` endpoint](projects.md).
-There are four ways to authenticate with the GitLab API:
+There are five ways to authenticate with the GitLab API:
 1. [OAuth2 tokens](#oauth2-tokens)
 1. [Personal access tokens](#personal-access-tokens)
+1. [Project access tokens](#project-access-tokens-core-only) **(CORE ONLY)**
 1. [Session cookie](#session-cookie)
 1. [GitLab CI/CD job token](#gitlab-ci-job-token) **(Specific endpoints only)**
@@ -117,31 +118,39 @@ curl --header "Authorization: Bearer OAUTH-TOKEN" https://gitlab.example.com/api
 Read more about [GitLab as an OAuth2 provider](oauth2.md).
-### Personal access tokens
+### Access tokens
-You can use a [personal access token](../user/profile/personal_access_tokens.md) to authenticate with the API by passing it in either the
+#### Personal access tokens
-`private_token` parameter or the `Private-Token` header.
+Read more about [personal access tokens](../user/profile/personal_access_tokens.md).
+#### Project access tokens **(CORE ONLY)**
+Read more about [project access tokens](../user/project/settings/index.md#project-access-tokens-core-only).
-Example of using the personal access token in a parameter:
+#### Usage
+Access tokens can be used to authenticate with the API by passing it in either the `private_token` parameter
+or the `Private-Token` header.
+Example of using the personal/project access token in a parameter:
 ```shell
 curl https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>
 ```
-Example of using the personal access token in a header:
+Example of using the personal/project access token in a header:
 ```shell
 curl --header "Private-Token: <your_access_token>" https://gitlab.example.com/api/v4/projects
 ```
-You can also use personal access tokens with OAuth-compliant headers:
+You can also use personal/project access tokens with OAuth-compliant headers:
 ```shell
 curl --header "Authorization: Bearer <your_access_token>" https://gitlab.example.com/api/v4/projects
 ```
-Read more about [personal access tokens](../user/profile/personal_access_tokens.md).
 ### Session cookie
 When signing in to the main GitLab application, a `_gitlab_session` cookie is

--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -148,6 +148,7 @@ The following table depicts the various user permission levels in a project.
 | Delete wiki pages                                 |         |            |             | ✓        | ✓      |
 | View project Audit Events                         |         |            |             | ✓        | ✓      |
 | Manage [push rules](../push_rules/push_rules.md)  |         |            |             | ✓        | ✓      |
+| Manage [project access tokens](./project/settings/index.md#project-access-tokens-core-only) **(CORE ONLY)** |         |            |             | ✓        | ✓      |
 | Switch visibility level                           |         |            |             |          | ✓      |
 | Transfer project to another namespace             |         |            |             |          | ✓      |
 | Remove fork relationship                          |         |            |             |          | ✓      |

--- a/doc/user/project/settings/index.md
+++ b/doc/user/project/settings/index.md
@@ -263,6 +263,62 @@ NOTE: **Note:**
 Only project owners have the [permissions](../../permissions.md#project-members-permissions)
 to remove a fork relationship.
+## Project access tokens **(CORE ONLY)**
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2587) in GitLab 13.0.
+Project access tokens are scoped to a project and can be used to authenticate with the [GitLab API](../../../api/README.md#project-access-tokens-core-only).
+You can also use project access tokens with Git to authenticate over HTTP or SSH.
+Project access tokens expire on the date you define, at midnight UTC.
+For examples of how you can use a project access token to authenticate with the API, see the following section from our [API Docs](../../../api/README.md#project-access-tokens-core-only).
+### Creating a project access token
+1. Log in to GitLab.
+1. Navigate to the project you would like to create an access token for.
+1. In the **{settings}** **Settings** menu choose **Access Tokens**.
+1. Choose a name and optional expiry date for the token.
+1. Choose the [desired scopes](#limiting-scopes-of-a-project-access-token).
+1. Click the **Create project access token** button.
+1. Save the project access token somewhere safe. Once you leave or refresh
+   the page, you won't be able to access it again.
+### Project bot users
+For each project access token created, a bot user will also be created and added to the project with
+["Maintainer" level permissions](../../permissions.md#project-members-permissions). API calls made with a
+project access token will be associated to the corresponding bot user.
+These users will appear in **{settings}** **Settings > Members** but can not be modified.
+Furthermore, the bot user can not be added to any other project.
+When the project access token is [revoked](#revoking-a-project-access-token) the bot user will be deleted and all
+records will be moved to a system-wide user with the username "Ghost User". For more information,
+see [Associated Records](../../profile/account/delete_account.md#associated-records).
+### Revoking a project access token
+At any time, you can revoke any project access token by clicking the
+respective **Revoke** button in **{settings}** **Settings > Access Tokens**.
+### Limiting scopes of a project access token
+Project access tokens can be created with one or more scopes that allow various
+actions that a given token can perform. The available scopes are depicted in
+the following table.
+| Scope              |  Description |
+| ------------------ |  ----------- |
+| `api`              | Grants complete read/write access to scoped project API. |
+| `read_api`         | Grants read access to the scoped project API. |
+| `read_registry`    | Allows read-access (pull) to [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
+| `write_registry`   | Allows write-access (push) to [container registry](../../packages/container_registry/index.md). |
+| `read_repository`  | Allows read-only access (pull) to the repository through `git clone`. |
+| `write_repository` | Allows read-write access (pull, push) to the repository through `git clone`. |
 ## Operations settings
 ### Error Tracking