Personal access token 'read_registry; permission broken.

Summary

Related to #19219 (closed) (Summarize the bug encountered concisely)

As far as I can tell on gitlab 9.4.2 this feature seems to be broken. I've got 2 PATs as an admin user with 2FA enabled.

When using the PAT with read_registry permission I get auth errors telling me permission denied. When I use the api permission I do have access.

Steps to reproduce

• Create a PAT with read_registry permission.
• Login to the registry via docker.
• Pull an image from the registry.

Example Project

Any project will work; and I'm not sharing my PAT :)

What is the current bug behavior?

Access denied

What is the expected correct behavior?

I should be allowed to pull the image(s).

Possible fixes

changed the description

/cc @bikebilly @ayufan @zj

added CI/CD bug container registry ~1208338 labels

Not sure when I have the time to investigate, but hopefully the next week.

assigned to @zj

changed the description

@bikebilly I've investigated this, and seems to be the case. This will take me about a day or two to fix. Should be schedule it for 10.0?

assigned to @bikebilly

changed the description

Minor update, I believe it has to do with the way we map scopes with abilities. So the scope: read_registry must map to allowing :read_container_image, which seems to fail.

@SamMousa suggests that this does work when API as a scope is enabled. I've yet to confirm that, but for anyone reading this in the mean time, this is your best bet. Continuing digging tomorrow.

@SamMousa All my hunches so far were a dead end, could you please give more detailed steps to reproduce this? I've tried this on the nightly release and gitlab.com.

@zj I have just retested this on 9.4.3, and will test it again on 9.4.4 when the update has finished.

I can now pull images from the repository successfully; could it have been resolved by other code changes in the 9.4.3 patch?

If not I must have done something wrong, although I've retried several times...

@SamMousa I dug into this as I had some ideas before of which I wasn't sure I'd either tested it, or if is certain edge cases were covered. And in some tests we stubbed a little too much for my liking. However, I tried quite a few edge cases but ended up not being able to reproduce this.

No patch was included in the patch releases of the 9.4.x line that I expect to affect this. I'm closing this for now, but if you hit some trouble in the future, feel free to open an new issue!

closed

Can confirm that it also works correctly on 9.4.4.