GitLab Documentation

New CI build permissions model

Introduced in GitLab 8.12.

GitLab 8.12 has a completely redesigned build permissions system. You can find all discussion and all our concerns when choosing the current approach in issue #18994.


Builds permissions should be tightly integrated with the permissions of a user who is triggering a build.

The reasons to do it like that are:

With the new behavior, any build that is triggered by the user, is also marked with their permissions. When a user does a git push or changes files through the web UI, a new pipeline will be usually created. This pipeline will be marked as created be the pusher (local push or via the UI) and any build created in this pipeline will have the permissions of the pusher.

This allows us to make it really easy to evaluate the access for all projects that have Git submodules or are using container images that the pusher would have access too. The permission is granted only for time that build is running. The access is revoked after the build is finished.

Types of users

It is important to note that we have a few types of users:

This allows us to make the CI and permission system more trustworthy. Let's consider the following scenario:

  1. You are an employee of a company. Your company has a number of internal tools hosted in private repositories and you have multiple CI builds that make use of these repositories.

  2. You invite a new external user. CI builds created by that user do not have access to internal repositories, because the user also doesn't have the access from within GitLab. You as an employee have to grant explicit access for this user. This allows us to prevent from accidental data leakage.

Build token

A unique build token is generated for each build and it allows the user to access all projects that would be normally accessible to the user creating that build.

We try to make sure that this token doesn't leak by:

  1. Securing all API endpoints to not expose the build token.
  2. Masking the build token from build logs.
  3. Allowing to use the build token only when build is running.

However, this brings a question about the Runners security. To make sure that this token doesn't leak, you should also make sure that you configure your Runners in the most possible secure way, by avoiding the following:

  1. Any usage of Docker's privileged mode is risky if the machines are re-used.
  2. Using the shell executor since builds run on the same machine.

By using an insecure GitLab Runner configuration, you allow the rogue developers to steal the tokens of other builds.

Build triggers

Build triggers do not support the new permission model. They continue to use the old authentication mechanism where the CI build can access only its own sources. We plan to remove that limitation in one of the upcoming releases.

Before GitLab 8.12

In versions before GitLab 8.12, all CI builds would use the CI Runner's token to checkout project sources.

The project's Runner's token was a token that you could find under the project's Settings > CI/CD Pipelines and was limited to access only that project. It could be used for registering new specific Runners assigned to the project and to checkout project sources. It could also be used with the GitLab Container Registry for that project, allowing pulling and pushing Docker images from within the CI build.


GitLab would create a special checkout URL like:

https://gitlab-ci-token:<project-runners-token>/gitlab.com/gitlab-org/gitlab-ce.git

And then the users could also use it in their CI builds all Docker related commands to interact with GitLab Container Registry. For example:

docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.com

Using single token had multiple security implications:

All the above led to a new permission model for builds that was introduced with GitLab 8.12.

Making use of the new CI build permissions model

With the new build permissions model, there is now an easy way to access all dependent source code in a project. That way, we can:

  1. Access a project's Git submodules
  2. Access private container images
  3. Access project's and submodule LFS objects

Below you can see the prerequisites needed to make use of the new permissions model and how that works with Git submodules and private Docker images hosted on the container registry.

Prerequisites to use the new permissions model

With the new permissions model in place, there may be times that your build will fail. This is most likely because your project tries to access other project's sources, and you don't have the appropriate permissions. In the build log look for information about 403 or forbidden access messages.

In short here's what you need to do should you encounter any issues.

As an administrator:

As a user:

Git submodules

To properly configure submodules with GitLab CI, read the Git submodules documentation.

Container Registry

With the update permission model we also extended the support for accessing Container Registries for private projects.

Notes:

Your builds can access all container images that you would normally have access to. The only implication is that you can push to the Container Registry of the project for which the build is triggered.

This is how an example usage can look like:

test:
  script:
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
    - docker pull $CI_REGISTRY/group/other-project:latest
    - docker run $CI_REGISTRY/group/other-project:latest