Issue JWT token with registry:catalog:* scope when requested by GitLab admin
What does this MR do?
Modifies ContainerRegistryAuthenticationService
to issue a JWT token with registry:catalog:* scope when requested by GitLab admin.
Are there points in the code the reviewer needs to double check?
Since this MR touches security aspect of GitLab a detailed review of the change and tests would be appreciated.
Why was this MR needed?
Currently, GitLab never issues token with registry:catalog:* scope. This scope is needed for browsing the catalog of docker registry. Since docker registry supports only one auth provider at the time, there is no other workaround to browse through registry catalog when using GitLab as auth provider.
Since disclosing all repositories in the registry could be considered a security leak, this scope can be issued only to GitLab admins. (As suggested by @ayufan)
Screenshots (if relevant)
(Not relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together
What are the relevant issue numbers?
Closes #26763 (moved) Closes #18392 (moved)