diff options
Diffstat (limited to 'doc/security/token_overview.md')
-rw-r--r-- | doc/security/token_overview.md | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index 333548fa1c9..578bb03563f 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- @@ -93,17 +93,19 @@ This table shows available scopes per token. Scopes can be limited further on to | | API access | Registry access | Repository access | |-----------------------------|------------|-----------------|-------------------| -| Personal access token | ✅ | ✅ | ✅ | -| OAuth2 token | ✅ | 🚫 | ✅ | -| Impersonation token | ✅ | ✅ | ✅ | -| Project access token | ✅(1) | ✅(1) | ✅(1) | -| Deploy token | 🚫 | ✅ | ✅ | -| Deploy key | 🚫 | 🚫 | ✅ | -| Runner registration token | 🚫 | 🚫 | ✴️(2) | -| Runner authentication token | 🚫 | 🚫 | ✴️(2) | -| Job token | ✴️(3) | 🚫 | ✅ | +| Personal access token | ✅ | ✅ | ✅ | +| OAuth2 token | ✅ | 🚫 | ✅ | +| Impersonation token | ✅ | ✅ | ✅ | +| Project access token | ✅(1) | ✅(1) | ✅(1) | +| Group access token | ✅(2) | ✅(2) | ✅(2) | +| Deploy token | 🚫 | ✅ | ✅ | +| Deploy key | 🚫 | 🚫 | ✅ | +| Runner registration token | 🚫 | 🚫 | ✴️(3) | +| Runner authentication token | 🚫 | 🚫 | ✴️(3) | +| Job token | ✴️(4) | 🚫 | ✅ | 1. Limited to the one project. +1. Limited to the one group. 1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository 1. Limited to certain [endpoints](../ci/jobs/ci_job_token.md). @@ -113,7 +115,7 @@ Access tokens should be treated like passwords and kept secure. Adding them to URLs is a security risk. This is especially true when cloning or adding a remote, as Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators. -Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/index.md#personalproject-access-tokens). +Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/index.md#personalprojectgroup-access-tokens). Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage). |