Skip to content

Removal notice: PAT and deploy token's won't be able to access credential/package with ext auth enabled

For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features

Breaking Change

The security issues https://gitlab.com/gitlab-org/security/gitlab/-/issues/773+ and https://gitlab.com/gitlab-org/gitlab/-/issues/382159+ required that PAT and deploy tokens should respect external authentication enablement and subsequently limit them from accessing container and package registries. This change was made but will be considered breaking change for users relying on this functionality without adequate warning.

This task is to add a removal notice in 15.8 and deprecate this functionality (that may be being used due to the bug) in 16.0

Affected Topology

  • GitLab self-managed users (I don't believe external_auth is available on GitLab.com)

Affected Tier

  • Free
  • Premium
  • Ultimate

Checklists

Labels

Timeline

Please add links to the relevant merge requests.

  • As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule: 14.8, 14.9, 14.10, 15.014.8 is the third milestone preceding the major release):
  • On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post.
  • On the major milestone:

Mentions

  • Your stage's stable counterparts have been @mentioned on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.
    • To see who the stable counterparts are for a product team visit product categories
      • If there is no stable counterpart listed for Sales/CS please mention @timtams
      • If there is no stable counterpart listed for Support please mention @gitlab-com/support/managers
      • If there is no stable counterpart listed for Marketing please mention @cfoster3
  • Your GPM has been @mentioned so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.

Deprecation Milestone

Planned Removal Milestone

Links

Edited by Adil Farrukh