Skip to content

Provide mechanism to migrate authentications log to job token allowlist

Problem

As part of the broader Project Allowlist for the CI Job token effort, Pipeline Security will be working on a mechanism to migrate logs to the job token allowlist. We know that many GitLab instances (e.g. Gitlab.com) want to keep breaking changes to a minimum (or avoid them). If project owners don't take any actions after Phase 1 and by a given deadline to manually add projects to their allowlists, instance admins should be able to turn the authentication logs into allowlists automatically and this effort enables that.

Proposal

Prior to enabling the instance-wide setting, admins have the ability (opt-in and on-demand) to migrate the authentication logs into allowlists on behalf of the project owners. This will allow them to minimize/eliminate breaking changes. This will only affect projects with disabled job token scope.

The migration could be executed as a rake task by admins or from admin UI. It's important that admins have the ability to monitor progress and restart/retry the operation if necessary.

Upon successful migration, the job token scope is enabled for the project and allowlisted entries possibly removed from the authentications log.

Additional Requirements

We want to be able to track which allowlist entries were automated by GitLab vs added by users. This is important because we want to:

  • Persist the right data when users opt-in.
  • Allow for an eventual rollback procedure to revert the changes to a previous state

Challenges

  • Need to use a mechanism that is Dedicated-friendly. Rake task might not be #467292 (comment 2041128436) (pending confirmation at the time of this writing).
  • The Job Token Scope allowlist has a limit of 200 entries. If more than 200 projects have authenticated to the current project we need to find a way to "compact the list". A discussed idea is to compact the allowlist by allowlisting a common sub-group among the allowlisted projects. If still not enough and more than 200 sub-groups are present, allowlist a common parent sub-group, and iterate until top-level groups.
Edited by Sarah Waldner