Commit 5b14ae44 authored by Fabio Pitino's avatar Fabio Pitino

Merge branch 'docs-ci-token-scope-update' into 'master'

Clarify the docs regarding CI token scope setting

See merge request gitlab-org/gitlab!65798
parents d81af6e9 763b3c06
...@@ -105,6 +105,6 @@ ...@@ -105,6 +105,6 @@
= expanded ? _('Collapse') : _('Expand') = expanded ? _('Collapse') : _('Expand')
%p %p
= _("Control which projects can use the CI_JOB_TOKEN CI/CD variable for API access to this project. It is a security risk to disable this feature, because unauthorized projects may attempt to retrieve an active token and access the API.") = _("Control which projects can use the CI_JOB_TOKEN CI/CD variable for API access to this project. It is a security risk to disable this feature, because unauthorized projects may attempt to retrieve an active token and access the API.")
= link_to _('Learn more'), help_page_path('api/index', anchor: 'gitlab-cicd-job-token-scope'), target: '_blank', rel: 'noopener noreferrer' = link_to _('Learn more'), help_page_path('api/index', anchor: 'limit-gitlab-cicd-job-token-access'), target: '_blank', rel: 'noopener noreferrer'
.settings-content .settings-content
= render 'ci/token_access/index' = render 'ci/token_access/index'
...@@ -245,53 +245,55 @@ your [runners](../ci/runners/README.md) to be secure. Avoid: ...@@ -245,53 +245,55 @@ your [runners](../ci/runners/README.md) to be secure. Avoid:
If you have an insecure GitLab Runner configuration, you increase the risk that someone If you have an insecure GitLab Runner configuration, you increase the risk that someone
tries to steal tokens from other jobs. tries to steal tokens from other jobs.
#### GitLab CI/CD job token scope #### Limit GitLab CI/CD job token access
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
> - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default.
- [Deployed behind a feature flag](../user/feature_flags.md), disabled by default. > - Disabled on GitLab.com.
- Disabled on GitLab.com. > - Not recommended for production use.
- Not recommended for production use. > - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
- To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope). **(FREE SELF)**
This in-development feature might not be available for your use. There can be This in-development feature might not be available for your use. There can be
[risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development). [risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development).
Refer to this feature's version history for more details. Refer to this feature's version history for more details.
CI job token can access only projects that are defined in its scope. You can limit the access scope of a project's CI/CD job token to increase the
You can configure the scope via project settings. job token's security. A job token might give extra permissions that aren't necessary
to access specific resources. Limiting the job token access scope reduces the risk of a leaked
The CI job token scope consists in a allowlist of projects that are authorized by maintainers to be token being used to access private data that the user associated to the job can access.
accessible via a CI job token. By default a scope only contains the same project where the token
comes from. Other projects can be added and removed by maintainers.
You can configure the scope via project settings. Control the job token access scope with an allowlist of other projects authorized
to be accessed by authenticating with the current project's job token. By default
the token scope only allows access to the same project where the token comes from.
Other projects can be added and removed by maintainers with access to both projects.
Since GitLab 14.1 this setting is enabled by default for new projects. Existing projects are This setting is enabled by default for all new projects, and disabled by default in projects
recommended to enable this feature and configure which projects are authorized to be accessed created before GitLab 14.1. It is strongly recommended that project maintainers enable this
by a job token. setting at all times, and configure the allowlist for cross-project access if needed.
The CI job token scope limits the risks that a leaked token is used to access private data that For example, when the setting is enabled, jobs in a pipeline in project `A` have
the user associated to the job can access to. a `CI_JOB_TOKEN` scope limited to project `A`. If the job needs to use the token
to make an API request to project `B`, then `B` must be added to the allowlist for `A`.
When the job token scope feature is enabled in the project settings, only the projects in scope To enable and configure the job token scope limit:
will be allowed to be accessed by a job token. If the job token scope feature is disabled, any
projects can be accessed, as long as the user associated to the job has permissions.
For example. If a project `A` has a running job with a `CI_JOB_TOKEN`, its scope is defined by 1. On the top bar, select **Menu > Projects** and find your project.
project `A`. If the job wants to use the `CI_JOB_TOKEN` to access data from project `B` or 1. On the left sidebar, select **Settings > CI/CD**.
trigger some actions in that project, then project `B` must be in the job token scope for `A`. 1. Expand **Token Access**.
1. Toggle **Limit CI_JOB_TOKEN access** to enabled.
1. (Optional) Add existing projects to the token's access scope. The user adding a
project must have the [maintainer role](../user/permissions.md) in both projects.
A job token might give extra permissions that aren't necessary to access specific resources. If the job token scope limit is disabled, the token can potentially be used to authenticate
There is [a proposal](https://gitlab.com/groups/gitlab-org/-/epics/3559) to redesign the feature API requests to all projects accessible to the user that triggered the job.
for more strategic control of the access permissions.
<!-- Add this at the end of the file --> There is [a proposal](https://gitlab.com/groups/gitlab-org/-/epics/3559) to improve
the feature with more strategic control of the access permissions.
#### Enable or disable CI Job Token Scope **(FREE SELF)** ##### Enable or disable CI job token scope limit **(FREE SELF)**
This is under development and not ready for production use. It is The GitLab CI/CD job token access scope limit is under development and not ready for production
deployed behind a feature flag that is **disabled by default**. use. It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md) [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
can enable it. can enable it.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment