Changes to repository authorization on GitLab.com
Today I tried to log in from SourceTree to gitlab, it didn't work out right away.
I do not remember that this moment earlier chewed on Habré.
It turns out that now only one authentication option is to create a token on the page and use it instead of a password.
Now authentication to the gitlab repository is impossible by login and password. Now you can have 4 different “passwords” for one login, that is token. Each token has its own access rights.
')
That is, a password leak now does not necessarily lead to the loss of everything in the world.
Now the loss of the login and password for the repository will not threaten the account.
Login and token for the repository can be distributed to everyone, rights will be limited to the type of token.
Now four types:
api - read and write access, as it was before with authentication by login and password.
read_user - allows you to only get information about the user.
read_repository - allows you to read (git pull) repository (but do not push into it).
read_registry - this I did not understand - Grants read-only access to the container registry images on private projects, someone will explain in the comments?
At the same time, when you add a user to the repository, you grant him rights (Guest Guest, Reader Reporter, Developer Developer, Maintainer Administrator).
That is, the benefit of the new system is that it is not necessary to once again fight to get a user with the desired role: if you need to give access only for reading, then give your login and issue a token, and that's it, convenient?
No need to invent a new login for registration, no need to invent a password and store it somewhere. Very comfortably.
For example, I am now conducting a “tender” for revision of the layout and I give all those interested in access to the repository, at first I asked to say the login at the git lab, now I will distribute the token only read.
Token can always be destroyed. You can give your login to each, you can all one - flexibility!
Disclaimer
I do not remember that this moment earlier chewed on Habré.
New Tokens
It turns out that now only one authentication option is to create a token on the page and use it instead of a password.
Now authentication to the gitlab repository is impossible by login and password. Now you can have 4 different “passwords” for one login, that is token. Each token has its own access rights.
')
That is, a password leak now does not necessarily lead to the loss of everything in the world.
Now the loss of the login and password for the repository will not threaten the account.
Login and token for the repository can be distributed to everyone, rights will be limited to the type of token.
Now four types:
api - read and write access, as it was before with authentication by login and password.
read_user - allows you to only get information about the user.
read_repository - allows you to read (git pull) repository (but do not push into it).
read_registry - this I did not understand - Grants read-only access to the container registry images on private projects, someone will explain in the comments?
Role system saved
At the same time, when you add a user to the repository, you grant him rights (Guest Guest, Reader Reporter, Developer Developer, Maintainer Administrator).
That is, the benefit of the new system is that it is not necessary to once again fight to get a user with the desired role: if you need to give access only for reading, then give your login and issue a token, and that's it, convenient?
No need to invent a new login for registration, no need to invent a password and store it somewhere. Very comfortably.
For example, I am now conducting a “tender” for revision of the layout and I give all those interested in access to the repository, at first I asked to say the login at the git lab, now I will distribute the token only read.
Token can always be destroyed. You can give your login to each, you can all one - flexibility!
Source: https://habr.com/ru/post/447564/
All Articles