Comments (5)
Hi Chris,
Thanks for the heads-up.
It's not clear what, if anything needs to be done here to enable this.
-
It would be great to have a reference to GitLab docs / release notes describing what they've allowed with
CI_JOB_TOKEN
. We would need to make sure all of the API calls Art needs are permitted. And if there is any special configuration (e.g. GitLab project settings), this would need to be referenced. -
Art uses the upstream
python-gitlab
client API. So if the HTTP headers need to be changed or anything, it will need to happen there, and Art will have to track the new version.
from gitlab-art.
A CI_JOB_TOKEN
can be used via python-gitlab if we change the Gitlab client constructor to use job_token
rather than private_token
. This would require a backward-compatible option on art configure
, and an extension of the configuration file.
For example, the first two commands would configure personal access tokens, the final command would configure a CI_JOB_TOKEN
credential.
$ art configure $ART_USER_TOKEN
$ art configure --token-type private $ART_USER_TOKEN
$ art configure --token-type job $CI_JOB_TOKEN
However in 15.9
GitLab started taking steps to nerf CI_JOB_TOKEN
, as this type of credential allows CI to act as the user that triggered the build for the duration of the pipeline and potentially has more permissions than it needs. While it's not entirely clear to me how one would leak a CI_JOB_TOKEN
without also being able to act as the CI user for the duration of the job, GitLab views the use of these tokens as a security risk and has implemented additional controls.
Our use of art
involves a personal access token from a dedicated "art" user. This user doesn't have permissions to any project and can only access the artifacts of projects with visibility level public
or internal
. I would imagine that finer-grain access controls would involve an explicit grant of permission to the "art" user on a per-project or per-group basis with the guest
or reporter
role, but I haven't personally evaluated what role is required to download artifacts using the API.
So ephemeral tokens are clearly better than long-lived tokens, but reduced-rights tokens are clearly better than those with full-rights. I think artifact security is irrelevant until you start to collect them from projects with the private
visibility level.
from gitlab-art.
I think artifact security is irrelevant until you start to collect them from projects with the
private
visibility level.
I don't mean this to convey a cavalier attitude towards security, but rather "my impression is that this is when security starts to matter."
from gitlab-art.
Just my two cents as the author: supporting artifacts from private
repositories is essential and it's not a negotiable feature.
from gitlab-art.
Just my two cents as the author: supporting artifacts from
private
repositories is essential and it's not a negotiable feature.
This would be possible with either token type.
For CI_JOB_TOKEN
, I find the GitLab docs post-15.9 regarding permissions a little difficult to understand, but if you enable the "token access" feature in CI/CD settings (enabled by default for new projects), then a project with visibility level private
will need to maintain an "allow-list" of projects that can pull artifacts.
For the "art" user case, a private project needs to grant permissions to the "art" user to download artifacts (same as it is today).
from gitlab-art.
Related Issues (18)
- Add changelog HOT 1
- Fetch job by ref instead of commit
- Ambiguity if a branch and tag have the same name HOT 1
- Supported Python3 versions
- Problem with API v4
- Add python_requires to setup.py HOT 2
- Add CI tests
- Support wildcards in "install"
- install should fail if a source path is not found in the archive
- Install should create empty directories
- art install raises a KeyError exception if an artifact isn't available in the cache
- Use user_config_dir
- Improve handling of GitLab exceptions HOT 1
- Add support for OAuth tokens
- Add the ability to fetch source files from a repository also
- Rename to gitlab-art HOT 1
- Filesystem permissions are lost from artifacts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitlab-art.