Removal notice: PAT and deploy token's won't be able to access credential/package with ext auth enabled
For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features
Breaking Change
The security issues https://gitlab.com/gitlab-org/security/gitlab/-/issues/773+ and https://gitlab.com/gitlab-org/gitlab/-/issues/382159+ required that PAT and deploy tokens should respect external authentication enablement and subsequently limit them from accessing container and package registries. This change was made but will be considered breaking change for users relying on this functionality without adequate warning.
This task is to add a removal notice in 15.8 and deprecate this functionality (that may be being used due to the bug) in 16.0
Affected Topology
- GitLab self-managed users (I don't believe external_auth is available on GitLab.com)
Affected Tier
- Free
- Premium
- Ultimate
Checklists
Labels
This issue is labeled deprecation, and with the relevant ~devops::,~group::, and~Category:labels.This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0–14.8is the third milestone preceding the major release):A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. Documentation has been updated to mark the feature as deprecated.
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
The deprecated item has been removed. If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
Mentions
Your stage's stable counterparts have been @mentionedon this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams - If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers - If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
Your GPM has been @mentionedso that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.